Hey everyone, I've been wrestling with some odd behavior while trying to set up Single Sign-On (SSO) for Microsoft 365 using Google as the Identity Provider (IdP). After several support sessions with Microsoft, I'm still at a loss. Has anyone else faced similar issues? Here's a quick overview of my situation:
1. Google Workspace serves as our main identity directory, and we have automatic synchronization set up with Microsoft Entra ID. We're using a custom domain formatted as domain**.de**.
2. The technical setup includes Microsoft Entra ID with domain-based federation through SAML 2.0, SP-initiated login (from Microsoft to Google), and all users are cloud-only, meaning we don't use traditional AD or ADFS.
3. I've gone through the configurations multiple times:
- The domain "contoso.de" is verified with "AuthenticationType = Federated" and I've confirmed the federation settings are correct.
- All relevant user objects are verified and match their Google accounts.
- The SAML app settings in Google Workspace have been updated appropriately, including enabling signed responses.
4. I've run multiple tests:
- IdP-initiated tests from Google seem to throw an `AADSTS901004` error, which I understand is expected.
- For SP-initiated logins from Microsoft, it redirects to Google successfully, but the return fails with an `AADSTS51004` error with no complete sign-in logs available.
I've double-checked all configurations and I can't seem to pinpoint any errors. Does anyone have suggestions on what to look for or any subreddits that might be more applicable for this issue? Thanks in advance!
4 Answers
Just a thought—are you sure that all three attributes (UserPrincipalName, Mail, and Google Primary Email) are exactly the same and consistently in the same case? Sometimes it can be the tiniest details like casing that trip things up.
Another thing to consider is whether the federated domain is set as the primary on your Microsoft 365 account. That might be a key factor contributing to the issue.
It sounds like you've done thorough checking on your configurations! The `AADSTS51004` error typically indicates that Entra ID received the SAML assertion, but it couldn’t match the NameID to any user object. This often relates to the ImmutableId mapping, so it’s worth revisiting that aspect. Here's a link that might help clarify: [SAML Assertion Config](https://learn.microsoft.com/en-us/answers/questions/1428630/configure-federation-between-google-workspace-and).
These situations can be tricky; it often boils down to small settings or timing issues. If you're open to it, you might want to check out services like Cato Networks. They offer solutions that simplify SSO setups between Google and Microsoft, which could streamline your process.
Yes, it is set as the primary domain.