Federating Google Cloud with Azure Active Directory: Configuring provisioning and single sign-on

This article shows you how to set up user provisioning and single sign-on between a Microsoft Azure AD tenant and your Cloud Identity or G Suite account.

The article assumes that you already use Microsoft Office 365 or Azure AD in your organization and want to use Azure AD for allowing users to authenticate with Google Cloud. Azure AD itself might be connected to an on-premises Active Directory and might use AD FS federation, pass-through authentication, or password hash synchronization.

Objectives

  • Set up Azure AD to automatically provision users and, optionally, groups to Cloud Identity or G Suite.
  • Configure single sign-on to allow users to sign in to Google Cloud by using an Azure AD user account or a user that has been provisioned from Active Directory to Azure AD.

Costs

If you are using the free edition of Cloud Identity, setting up federation with Azure AD won't use any billable components of Google Cloud.

Check the Azure AD pricing page for any fees that might apply to using Azure AD.

Before you begin

  • Make sure you understand the differences between connecting Google Cloud to Azure AD versus directly connecting Google Cloud to Active Directory.
  • Decide how you want to map identities, groups, and domains. Specifically, answer the following questions:
    • Do you plan to use email addresses or User Principal Names (UPNs) as common identifiers for users?
    • Do you plan to provision groups? If so, do you plan to map groups by email address or by name?
    • Do you plan to provision all users to Google Cloud or only a select subset of users?
  • Before connecting your production Azure AD tenant to Google Cloud, consider using an Azure AD test tenant for setting up and testing user provisioning.
  • Sign up for Cloud Identity if you don't have an account already.
  • If you're using the free edition of Cloud Identity and intend to provision more than 50 users, request an increase of the total number of free Cloud Identity users through your support contact.
  • If you suspect that any of the domains you plan to use for Cloud Identity could have been used by employees to register consumer accounts, consider migrating these user accounts first. For more details, see Assessing existing user accounts.

Preparing your Cloud Identity or G Suite account

Create a user for Azure AD

To enable Azure AD to interact with the API of Cloud Identity and G Suite, Azure AD needs a user account. When you signed up for Cloud Identity or G Suite, you created one super admin user. Although you could use this user for Azure AD, it's preferable to create a separate user that is used exclusively by Azure AD.

  1. Open the Admin Console and log in using the super-admin user created when you signed up for Cloud Identity or G Suite.
  2. In the menu, navigate to Directory > Users and click Add new user to create a user.
  3. Provide an appropriate name and email address such as:
    1. First Name: Azure AD
    2. Last Name: Provisioning
    3. Primary email: azuread-provisioning
    4. Keep the primary domain for the email address.
  4. Set Automatically generate a new password to Disabled and enter a password.
  5. Set Ask for a password change at the next sign-in to Disabled.
  6. Click Add new user.
  7. Click Done.

To enable Azure AD to create, list, and delete users and groups, you must give the user additional privileges. Also, it's a good idea to exempt the user from single sign-on—otherwise, you might not be able to re-authorize Azure AD when experiencing single sign-on problems. Do both by making the user a super admin:

  1. Locate the newly created user in the list and open it.
  2. Under Admin roles and privileges, click Assign roles.
  3. Enable the super-admin role.
  4. Click Save.

Register domains

In Cloud Identity and G Suite, users and groups are identified by email address. The domains used by these email addresses must be registered and verified first.

Prepare a list of DNS domains that you need to register:

  • If you plan to map users by UPN, include all domains used by UPNs. If in doubt, include all custom domains of your Azure AD tenant.
  • If you plan to map users by email address, include all domains used in email addresses. The list of domains might be different from the list of custom domains of your Azure AD tenant.

If you plan to provision groups, amend the list of DNS domains:

  • If you plan to map groups by email address, include all domains used in group email addresses. If in doubt, include all custom domains of your Azure AD tenant.
  • If you plan to map groups by name, include a dedicated subdomain like groups.[PRIMARY-DOMAIN], where [PRIMARY-DOMAIN] is the primary domain name of your Cloud Identity or G Suite account.

Now that you've identified the list of DNS domains, you can register any missing domains. For each domain on the list not yet registered, perform the following steps:

  1. In the Admin Console, navigate to Account > Domains.
  2. Click Add/remove domains.
  3. Click Add a domain or a domain alias.
  4. In the dialog, select Add another domain.
  5. In the text box below, enter the domain name.
  6. Click Continue and verify domain ownership.

    If the domain is a subdomain of another domain that has been verified before, then the domain is immediately usable. Otherwise, you are asked to verify the domain.

  7. Click Select your domain registrar or provider to select the registrar or provider of the respective DNS domain.

  8. You now see a set of instructions specific to the registrar or provider selected. Follow these instructions to verify ownership of the domain.

Configuring Azure AD provisioning

Create an enterprise application

You are now ready to connect Azure AD to your Cloud Identity or G Suite account by setting up the Google Cloud/G Suite Connector by Microsoft gallery app from the Microsoft Azure marketplace.

The gallery app can be configured to handle both user provisioning and single sign-on. If you use one instance of the app for both purposes, however, you risk running into a limitation of Azure AD. To avoid this risk, you use two instances of the gallery app.

First, create an instance of the gallery app to handle user provisioning:

  1. Open the Azure portal and sign in as a user with global administrator privileges.
  2. Select Azure Active Directory > Enterprise applications.
  3. Click New application.
  4. Search for Google Cloud, and then click the Google Cloud/G Suite Connector by Microsoft item in the result list.
  5. Set the name of the application to Google Cloud (Provisioning).
  6. Click Add.
  7. Adding the application may take a few seconds, you should then be redirected to a page titled Google Cloud (Provisioning) - Overview.
  8. In the menu on the left, click Manage > Properties:
    1. Set Enabled for users to sign-in to No.
    2. Set User assignment required to No.
    3. Set Visible to users to No.
    4. Click Save.
  9. In the menu on the left, click Manage > Provisioning:
    1. Change Provisioning Mode to Automatic.
    2. Click Admin Credentials > Authorize.
    3. Sign in using the azuread-provisioning@[DOMAIN] user you created earlier, where [DOMAIN] is the primary domain of your Cloud Identity or G Suite account.
    4. Because this is the first time you've signed on using this user, you are asked to accept the Google Terms of Service and privacy policy.
    5. If you agree to the terms, click Accept.
    6. Confirm access to the Cloud Identity API by clicking Allow.
    7. Click Test Connection to verify that Azure AD can successfully authenticate with Cloud Identity or G Suite.
    8. Click Save.

Configure user provisioning

The right way to configure user provisioning depends on whether you intend to map users by email address or by UPN.

Map by UPN

  1. Under Mappings, click Provision Azure Active Directory Users.
  2. Under Attribute Mapping, select the row surname and set Default value if null to _.
  3. Select the row givenName and set Default value if null to _.
  4. Click OK.
  5. Click Save.
  6. Confirm that saving changes will result in users and groups being resynchronized by clicking Yes.
  7. Click X to close the Attribute Mapping dialog.

Map by email address

  1. Under Mappings, click Provision Azure Active Directory Users.
  2. Under Attribute Mapping, select the row userPrincipalName and set Source Attribute to mail.
  3. Select the row surname and set Default value if null to _.
  4. Select the row givenName and set Default value if null to _.
  5. Click OK.
  6. Click Save.
  7. Confirm that saving changes will result in users and groups being resynchronized by clicking Yes.
  8. Click X to close the Attribute Mapping dialog.

Configure group provisioning

The right way to configure group provisioning also depends on whether you intend to map groups by email address or by UPN.

No group mapping

  1. Under Mappings, click Provision Azure Active Directory Groups.
  2. Set Enabled to No.
  3. Click Save.
  4. Confirm that saving changes will result in users and groups being resynchronized by clicking Yes.
  5. Click X to close the Attribute Mapping dialog.

Map by email address

  • If you map groups by email address, keep the default settings.

Map by name

  1. Under Mappings section, click Provision Azure Active Directory Groups.
  2. In the Attribute Mappings section, click mail, which opens the Edit Attribute dialog.
  3. Configure the following settings:
    1. Mapping type: Expression.
    2. Expression: Join("@", NormalizeDiacritics(StripSpaces([displayName])), "[GROUPS-DOMAIN]"). Replace [GROUPS-DOMAIN] with the domain all group email addresses are supposed to use, for example, groups.example.com.
    3. Target attribute: email.
  4. Click OK.
  5. Click Save.
  6. Confirm that saving changes will result in users and groups being resynchronized by clicking Yes.
  7. Click X to close the Attribute Mapping dialog.

Configure user assignment

If you know that only a certain subset of users need access to Google Cloud, you can optionally restrict the set of users to be provisioned by assigning the enterprise app to specific users or groups of users.

If you want all users to be provisioned, you can skip the following steps.

  1. In the menu on the left, click Manage > Users and groups.
  2. Click Add user.
  3. Select Users.
  4. Select the users or groups you want to provision. If you select a group, all members of this group are automatically provisioned.
  5. Click Select.
  6. Click Assign.

Enable automatic provisioning

The next step is to configure Azure AD to automatically provision users to Cloud Identity or G Suite:

  1. In the menu on the left, click Manage > Provisioning.
  2. Select Edit provisioning.
  3. Under Settings, set Provisioning Status to On.
  4. Set Scope to one of the following:

    1. Sync only assigned users and groups if you have configured user assignment.
    2. Sync all users and groups otherwise.

    If this box to set the scope isn't displayed, click Save and refresh the page.

  5. Click Save.

Azure AD starts an initial synchronization. Depending on the number of users and groups in the directory, this process can take several minutes or hours. You can refresh the browser page to see the status of the synchronization at the bottom of the page or select Audit Logs in the menu to see more details.

Troubleshooting

If the synchronization doesn't start within five minutes, you can force it to start by doing the following:

  1. Set Provisioning Status to Off.
  2. Click Save.
  3. Set Provisioning Status to On.
  4. Click Save.
  5. Check Clear current state and restart synchronization.
  6. Click Save.
  7. Confirm restarting the synchronization by clicking Yes.

If synchronization still doesn't start, click Test Connection to verify that your credentials have been saved successfully.

Configuring Azure AD for single sign-on

Although all relevant Azure AD users are now automatically being provisioned to Cloud Identity or G Suite, you cannot use these users to sign in yet. To allow users to sign in, you still need to configure single sign-on.

Create an enterprise application

Create a second enterprise application to handle single sign-on:

  1. In the Azure portal, navigate to Azure Active Directory > Enterprise applications.
  2. Click New application.
  3. Search for Google Cloud, and then click Google Cloud/G Suite Connector by Microsoft in the result list.
  4. Set the name of the application to Google Cloud.
  5. Click Add.

    Adding the application may take a few seconds. You are then redirected to a page titled Google Cloud - Overview.

  6. In the menu on the left, click Manage > Properties.

  7. Set Enabled for users to sign-in to Yes.

  8. Set User assignment required to Yes unless you want to allow all users to use single sign-on.

  9. Click Save.

Configure user assignment

If you already know that only a certain subset of users need access to Google Cloud, you can optionally restrict the set of users to be allowed to sign in by assigning the enterprise app to specific users or groups of users.

If you set User assignment required to No before, then you can skip the following steps.

  1. In the menu on the left, click Manage > Users and groups.
  2. Click Add user.
  3. Select Users and groups/None Selected.
  4. Select the users or groups you want to allow single sign-on for.
  5. Click Select.
  6. Click Assign.

Configure SAML settings

To enable Cloud Identity to use Azure AD for authentication, you must adjust some settings:

  1. In the menu on the left, click Manage > Single sign-on.
  2. On the ballot screen, click the SAML card.
  3. On the Basic SAML Configuration card, click the edit icon.
  4. In the Basic SAML Configuration dialog, enter the following settings:
    1. Identifier (Entity ID): google.com
    2. Reply URL: https://www.google.com/
    3. Sign on URL: https://www.google.com/a/[PRIMARY-DOMAIN]/ServiceLogin?continue=https://console.cloud.google.com/, replacing [PRIMARY-DOMAIN] with the primary domain name used by your Cloud Identity or G Suite account.
  5. Click Save, and then dismiss the dialog by clicking X.
  6. On the SAML Signing Certificate card, find the entry labeled Certificate (Raw) and click Download to download the certificate to your local computer.
  7. On the Set up Google Cloud card, look for Login URL and Logout URL. You need these URLs shortly.

The remaining steps differ depending on whether you map users by email address or by UPN.

Map by UPN

  1. On the User Attributes & Claims card, click the edit icon.
  2. Delete all claims listed under Additional claims. You can delete records by clicking the button and selecting Delete.
  3. The list of attributes and claims should now look like this:

    User Attributes & Claims dialog

  4. Dismiss the dialog by clicking X.

Map by email address

  1. On the User Attributes & Claims card, click the edit icon.
  2. Select the row labeled Unique User Identifier (Name ID)
  3. Change Source attribute to user.mail.
  4. Click Save.
  5. Delete all claims listed under Additional claims. To delete all records, click , and then click Delete.

    User Attributes & Claims dialog

  6. Dismiss the dialog by clicking .

Configuring Cloud Identity or G Suite for single sign-on

Now that you've prepared Azure AD for single sign-on, you can enable single sign-on in your Cloud Identity or G Suite account:

  1. Open the Admin Console and log in using a super-admin user.
  2. In the menu, navigate to Security > Settings.
  3. Click Set up single sign-on (SSO) with a third party IdP.
  4. Under Verification certificate, click Choose File, and then pick the token signing certificate you downloaded previously.
  5. Click Upload.
  6. Click Save.
  7. Ensure that Setup SSO with third party identity provider is enabled.
  8. Enter the following settings:
    1. Sign-in page URL: Enter the Login URL from the Set up Google Cloud card in the Azure Portal.
    2. Sign-out page URL: Enter the Logout URL from the Set up Google Cloud card in the Azure Portal.
    3. Change password URL: https://account.activedirectory.windowsazure.com/changepassword.aspx
  9. Click Save.
  10. On the next page, confirm that you intend to enable single sign-on and click I understand and agree.
  11. Sign out of the Admin Console by clicking the avatar on the top right. Then click Sign out.

Testing single sign-on

Now that you've completed the single sign-on configuration in both Azure AD and Cloud Identity or G Suite, you can access Google Cloud in two ways:

To check that the second option works as intended, run the following test:

  1. Pick an Azure AD user that has been provisioned to Cloud Identity or G Suite and that doesn't have super-admin privileges assigned. Users with super-admin privileges always have to sign in using Google credentials and are therefore not suitable for testing single sign-on.
  2. Open a new browser window and navigate to https://console.cloud.google.com/.
  3. In the Google Sign-In page that appears, enter the email address of the user and click Next. If you use domain substitution, this address must be the email address with the substitution applied.

    Google Sign-In dialog

  4. You are redirected to Azure AD and will see another sign-in prompt. Enter the email address of the user (without domain substitution) and click Next.

    Azure AD sign-in dialog

  5. After entering your password, you are prompted whether to stay signed in or not. For now, choose No.

    After successful authentication, Azure AD should redirect you back to Google Sign-In. Because this is the first time you've signed in using this user, you are asked to accept the Google Terms of Service and privacy policy.

  6. If you agree to the terms, click Accept.

    You are redirected to the Cloud Console, which asks you to confirm preferences and accept the Google Cloud Terms of Service.

  7. If you agree to the terms, choose Yes and click Agree and continue.

  8. Click the avatar icon on the top left of the page, and then click Sign out.

    You are redirected to an Azure AD page confirming that you have been successfully signed out.

Keep in mind that users with super-admin privileges are exempted from single sign-on, so you can still use the Admin Console to verify or change settings.

Cleaning up

To avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:

To disable single sign-on in your Cloud Identity or G Suite account, perform the following steps:

  • Open the Admin Console and log in using the super-admin user created when signing up for Cloud Identity or G Suite.
  • In the menu, navigate to Security > Settings.
  • Click Set up single sign-on (SSO) with a third party IdP.
  • Ensure that Setup SSO with third party identity provider is disabled.

You can remove single sign-on and provisioning settings in Azure AD as follows:

  • In the Azure portal, navigate to Azure AD > Enterprise applications.
  • From the list of applications, choose Google Cloud.
  • In the menu on the left, click Manage > Single sign-on.
  • Click Delete.
  • Confirm the deletion by clicking Yes.

What's next