What's wrong with this SAML SSO setup from MS 365 to Google?

Posted by Aim_Fire_Ready@reddit | sysadmin | View on Reddit | 14 comments

I have a full MS cloud env (no local AD, all Entra users). I have configured the Google Suite Connector (GSC) as an Enterprise Application for SAML SSO I have tested GSC by logging in to a personal Chromebook using my work-issued Microsoft user account. **When I synced other users outside my initial test group, most of them (but not all) got suspended by Google.** We currently have Microsoft 365 business\* premium licensing and Google Cloud Identity license (free). Our goal is to use Windows, MacOS, and ChromeOS devices throughout the organization using SAML SSO to have only one login per user. What do I need to accomplish this? Do I need to change our Google licensing? I did this once before, but it was a school, so everything was free (MS A1 & GWS for Ed). This org is a 501c3\*, so we can't just throw money at it: we need the cheapest option that checks all the boxes. \*They haven't been approved for non-profit pricing yet.

Reply to Post

14 Comments

[-]

Mindestiny@reddit

First question is: Are you configuring the Google apps (presumably Google Workspace) as an *Enterprise Application* in EntraID to leverage SAML SSO for auth, or are you trying to **Federate** EntraID and Google Cloud Identity? An important distinction - if it's just SAML SSO you shouldn't be using Google Cloud Identity for anything and you will not manage IAM from that portal. But my gut says this is a simple configuration error: did you actually assign the users to the Google Workspace Enterprise App in EntraID? If not, when it syncs it's gonna think all those user were soft deleted and suspend them in GW.

[-]

Aim_Fire_Ready@reddit (OP)

It's an enterprise application. I don't know how federation works in this context. I'm only using Google Cloud Identity because it was the free license that kept the org account active. I couldn't even tell you what features it offers, LOL.

[-]

Mindestiny@reddit

Gotcha, that makes sense. Next step would be check the provisioning logs. In EntraID, navigate to the Enterprise Application, then Manage > Provisioning and under the "Users" count widget there should be a link to "view provisioning logs" That will show you all provisioning events pushed by EntraID. Find one for a user that was suspended and click into it, and it'll walk through the logic that led to SCIM suspending the user in Workspace. From there you should be able to track down the misconfiguration on the EntraID side.

[-]

trebuchetdoomsday@reddit

app is "Google Cloud / G Suite Connector by Microsoft". it can only be added as an Enterprise Application in Entra ID Step 1 after configuration is assigning users & groups. After assigning & setting up the SSO, you go to the Google side and configure / assign permission for the users on their side.

[-]

Mindestiny@reddit

If they're just using SSO, yeah. Should've also asked if they're doing SCIM provisioning to push to the Google side. It's such a default for us to leverage SCIM I always forget some people don't! That being said, they'd have to be using SCIM if it's auto suspending user accounts

[-]

trebuchetdoomsday@reddit

not sure why i got downvoted for pointing out the correct enterprise app, but **anyway**, that's a good point! having just configured Entra SSO to Google, i've only implemented it w/ existing users on both sides. i'll keep that info in mind as we add user provisioning in there. thanks!

[-]

Mindestiny@reddit

Same lol, someone doesnt like discussion of enterprise apps and SSO I guess. /shrug

[-]

illicITparameters@reddit

This.

[-]

trebuchetdoomsday@reddit

> When I synced other users outside my initial test group, most of them (but not all) got suspended by Google. are these users already created on the Google side, or are you provisioning them through Entra -> GSC SSO? if you're provisioning & creating user accounts via step 3 of the Entra configuration, GCI is going to panic a bit by the bulk creation of accounts w/ no passwords via 3rd party.

[-]

Aim_Fire_Ready@reddit (OP)

I'm provisioning them through Entra -> GSC SSO. We had a handful of go-getters that used their work email before I had claimed the domain in Google, but I created 97% of them through GSC provisioning. > GCI is going to panic a bit by the bulk creation of accounts w/ no passwords via 3rd party. I guess I can see their concern. I hadn't considered that.

[-]

trebuchetdoomsday@reddit

I believe that's why it suspended the users.

[-]

MatazaNz@reddit

I've come across similar before. Google is suspending the accounts as a "security" measure, because their systems think you are creating them too fast. In these cases, Google will simply require the user to validate their account with a mobile number on first sign in. You can only use a particular number once, though.

[-]

Aim_Fire_Ready@reddit (OP)

Interesting rationale. Thanks for the heads up. I couldn't get any clarity on why it was happening.

[-]

MatazaNz@reddit

No problem. I had this about 2 years ago with a tenant - tenant migration. And I couldn't migrate data into the accounts Google suspended. I raised a support case, and they claimed they couldn't do anything about it.