Export (0) Print
Expand All

Tutorial: Azure AD integration with Google Apps

Published: July 8, 2013

Updated: April 15, 2014

Applies To: Azure

TipTip
For feedback, click here.

For more information about this topic, see Best Practices for Managing the Application access enhancements for Windows Azure Active Directory.

The objective of this tutorial is to show the integration of Windows Azure and Google Apps. The scenario outlined in this tutorial assumes that you already have the following items:

  • A valid Windows Azure subscription

  • A test tenant in Googe Apps

If you don’t have a valid tenant in Google Apps yet, you can, for example, sign up for a trial account at Google Apps for Business web site.

The scenario outlined in this tutorial consists of the following building blocks:

  1. Enabling the application integration for Google Apps

  2. Configuring single sign-on

  3. Enabling Google Apps API Access

  4. Adding custom domains

  5. Configuring user provisioning

The objective of this section is to outline how to enable the application integration for Google Apps.

  1. In the Windows Azure Management Portal, on the left navigation pane, click Active Directory.

  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.

  4. Click Add at the bottom to open the Add Application dialog.

  5. On the Integrate an app with Windows Azure AD dialog, click Manage access to an application.

  6. On the Select an application to manage page, select Google Apps from the list of applications.

  7. Click the Complete button to add the application and close the dialog.

The objective of this section is to outline how to enable users to authenticate to Google Apps with their account in Windows Azure AD using federation based on the SAML protocol.

  1. In the Windows Azure Management Portal, select Active Directory in the left navigation pane to open the active directory dialog page.

  2. In the directory list, select your directory to open your directory’s configuration page.

  3. Select APPLICATIONS from the top level menu.

  4. From the list of applications, select Google Apps to open the google apps configuration dialog.

  5. To open the CONFIGURE SINGLE SIGN-ON dialog, click Configure single sign-on.

    Configure single sign-on
  6. On the Select the single sign-on mode for this app dialog page, select Users authenticate with their account in Windows Azure AD as MODE, and then click the Next button.

    Select the single sign-on mode for this app
  7. On the Configure App URL dialog page, in the GOOGLE APPS TENANT URL textbox, type the Google Apps tenant URL, and then click the Next button.

    Configure App URL
    noteNote
    The schema of the Google Apps tenant URL has the following format: https://www.google.com/a/<your Google Apps domain>

  8. On the Configure single sign-on at Google Apps dialog page perform the following steps, and then click the Complete button.

    1. Click Download certificate, and then save the certificate as c:\googleapps.cer.

    2. Open the Google Apps login page, and then sign-on.

      Google sign-on
    3. On the Admin console, click Security.

      Security
      noteNote
      If the Security icon is not visible, you should click More controls on the bottom of the page.

  9. On the Security page, click Advanced settings.

    Advanced Settings
  10. In the Advanced settings section of the page, select Set up single sign-on.

    Set up single sign-on
  11. On the Set up single sign-on page, perform the following steps:

    Set up single sign-on
    1. Select Enable Single Sign-on.

    2. On the Configure single sign-on at Google Apps page in the Windows Azure AD Portal, copy the SINGLE SIGN-ON URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    3. On the Configure single sign-on at Google Apps page in the Windows Azure AD Portal, copy the Single sign-out service URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    4. On the Configure single sign-on at Google Apps page in the Windows Azure AD Portal, copy the Change password URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    5. Click the Browse button to locate the Verification certificate, and then click Upload.

    6. Click Save changes.

  12. On the Configure single sign-on at Google Apps page in the Windows Azure AD Portal, click the Complete button.

You can now go to the Access Panel and test single sign-on to Google Apps.

When integrating Windows Azure Active Directory with Google Apps for user provisioning, you must enable API access for your tenant in Google Apps.

  1. Sing-on to your Google Apps tenant.

  2. In the Admin console, click Security.

    Security

    noteNote
    If the Security icon is not visible, click More controls at the bottom of the Admin console.

  3. On the Security page, click API reference to open the related configuration dialog page.

  4. Select Enable API access.

    Enable API access

Configuring user provisioning with Google Apps requires the Windows Azure AD domain and the Google Apps domain to have the same fully qualified domain name (FQDN). However, when you are, for example, using trial tenants to test the scenario in this tutorial, the FQDNS of your tenants typically don’t match. To address this issue, you can configure custom domains in Windows Azure AD and in Google Apps.
Configuring a custom domain requires access to your public domain’s DNS zone file.

Add a custom domain

  1. In the Windows Azure Management Portal, select Active Directory in the left navigation pane to open the active directory dialog page.

  2. In the directory list, select your directory to open your directory’s configuration page.

  3. Select DOMAINS from the top level menu.

  4. To open the ADD CUSTOM DOMAIN dialog, click ADD A CUSTOM DOMAIN.

  5. In the DOMAIN NAME textbox, type your domain name, and then click add.

    Specify a domain name
  6. Click Next to open the Verify <your domain name> dialog page.

  7. Select a RECORD TYPE, and then register the selected record in your DNS zone file.

    Verify
  8. Using the nslookup command, you should verify whether the DNS record has been successfully registered.

    Nslookup

  1. Sing-on to your Google Apps tenant.

  2. In the Admin console, click Domains.

    Domains
  3. Click Add a custom domain.

    Add a custom domain
  4. Click Use a domain you already own, and then click Continue.

    Switch to a custom domain name
  5. Type the name of your custom domain, and then click Continue.

    Use a domain name you already own
  6. Complete the steps to verify ownership of the domain.

ImportantImportant
If you have already federated single sign-on configured, you must update the Google Apps tenant URL in your federated single ign-on configuration.

The objective of this section is to outline how to enable provisioning of Active Directory user accounts to Google Apps.

noteNote
This section assumes that you have completed the steps listed in the following sections:

  1. Enabling Google Apps API Access

  2. Adding custom domains

  1. In the Windows Azure Management Portal, select Active Directory in the left navigation pane to open the active directory dialog page.

  2. In the directory list, select your directory to open your directory’s configuration page.

  3. Select APPLICATIONS from the top level menu.

  4. From the list of applications, select Google Apps to open the google apps configuration dialog.

  5. To open the CONFIGURE ACCOUNT SYNC dialog, click Configure account sync.

  6. On the CONFIGURE ACCOUNT SYNC dialog page, provide the Google Apps domain name, the Google Apps user name and the Google Apps password, and then click the Next button.

    Enter your Google Apps Credentials
  7. On the Confirmation dialog page, click the Complete button to close the CONFIGURE ACCOUNT SYNC dialog.

You can now create a test account, wait for 10 minutes and verify that the account has been synchronized to Google Apps.

ImportantImportant
Before testing the account, please make sure that the following is true:

  1. You have completed the steps outlined in the following section: Enabling Google Apps API Access

  2. Your test account is a member of a Google Apps verified domain.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft