Export (0) Print
Expand All

Tutorial: Azure AD integration with Google Apps

Published: July 8, 2013

Updated: August 27, 2014

Applies To: Azure

TipTip
For feedback, click here.

For more information about this topic, see Best Practices for Managing the Application access enhancements for Azure Active Directory.

The objective of this tutorial is to show the integration of Azure and Google Apps. The scenario outlined in this tutorial assumes that you already have the following items:

  • A valid Azure subscription

  • A test tenant in Googe Apps

If you don’t have a valid tenant in Google Apps yet, you can, for example, sign up for a trial account at Google Apps for Business web site.

The scenario outlined in this tutorial consists of the following building blocks:

  1. Enabling the application integration for Google Apps

  2. Configuring single sign-on

  3. Enabling Google Apps API Access

  4. Adding custom domains

  5. Configuring user provisioning

The objective of this section is to outline how to enable the application integration for Google Apps.

  1. In the Azure Management Portal, on the left navigation pane, click Active Directory.

    Active Directory
  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.

    Applications
  4. Click Add at the bottom of the page.

    Add application
  5. On the What do you want to do dialog, click Add an application from the gallery.

    Add an application from gallerry
  6. In the search box, type Google Apps.

    Application gallery
  7. In the results pane, select Google Apps, and then click Complete to add the application.

    ServiceNow

The objective of this section is to outline how to enable users to authenticate to Google Apps with their account in Azure AD using federation based on the SAML protocol.

  1. In the Azure AD portal, on the Google Apps application integration page, click Configure single sign-on to open the Configure Single Sign On dialog.

    Configure single sign-on
  2. On the How would you like users to sign on to Google Apps page, select Windows Azure AD Single Sign-On, and then click Next.

    Windows Azure AD Sinfgle Sign-On
  3. On the Configure App URL page, in the Google Apps Sign In URL textbox, type the Google Apps tenant URL, and then click Next.

    noteNote
    The schema of the Google Apps tenant URL has the following format: https://www.google.com/a/<your Google Apps domain>

  4. On the Configure single sign-on at Google Apps dialog page perform the following steps.

    Configure single sign-on
    1. Click Download certificate, and then save the certificate as c:\googleapps.cer.

    2. Open the Google Apps login page, and then sign-on.

      Google sign-on
    3. On the Admin console, click Security.

      Security
      noteNote
      If the Security icon is not visible, you should click More controls on the bottom of the page.

  5. On the Security page, click Advanced settings.

    Advanced Settings
  6. In the Advanced settings section of the page, select Set up single sign-on.

    Set up single sign-on
  7. On the Set up single sign-on page, perform the following steps:

    Set up single sign-on
    1. Select Enable Single Sign-on.

    2. On the Configure single sign-on at Google Apps page in the Azure AD Portal, copy the SINGLE SIGN-ON URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    3. On the Configure single sign-on at Google Apps page in the Azure AD Portal, copy the Single sign-out service URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    4. On the Configure single sign-on at Google Apps page in the Azure AD Portal, copy the Change password URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    5. Click the Browse button to locate the Verification certificate, and then click Upload.

    6. Click Save changes.

  8. On the Azure AD portal, select the single sign-on configuration confirmation, and then click Complete to close the Configure Single Sign On dialog.

    Configure single sign-on

You can now go to the Access Panel and test single sign-on to Google Apps.

When integrating Azure Active Directory with Google Apps for user provisioning, you must enable API access for your tenant in Google Apps.

  1. Sing-on to your Google Apps tenant.

  2. In the Admin console, click Security.

    Security

    noteNote
    If the Security icon is not visible, click More controls at the bottom of the Admin console.

  3. On the Security page, click API reference to open the related configuration dialog page.

  4. Select Enable API access.

    Enable API access

Configuring user provisioning with Google Apps requires the Azure AD domain and the Google Apps domain to have the same fully qualified domain name (FQDN). However, when you are, for example, using trial tenants to test the scenario in this tutorial, the FQDNS of your tenants typically don’t match. To address this issue, you can configure custom domains in Azure AD and in Google Apps.
Configuring a custom domain requires access to your public domain’s DNS zone file.

Add a custom domain

  1. In the Azure Management Portal, select Active Directory in the left navigation pane to open the active directory dialog page.

  2. In the directory list, select your directory to open your directory’s configuration page.

  3. Select DOMAINS from the top level menu.

  4. To open the ADD CUSTOM DOMAIN dialog, click ADD A CUSTOM DOMAIN.

  5. In the DOMAIN NAME textbox, type your domain name, and then click add.

    Specify a domain name
  6. Click Next to open the Verify <your domain name> dialog page.

  7. Select a RECORD TYPE, and then register the selected record in your DNS zone file.

    Verify
  8. Using the nslookup command, you should verify whether the DNS record has been successfully registered.

    Nslookup

  1. Sing-on to your Google Apps tenant.

  2. In the Admin console, click Domains.

    Domains
  3. Click Add a custom domain.

    Add a custom domain
  4. Click Use a domain you already own, and then click Continue.

    Switch to a custom domain name
  5. Type the name of your custom domain, and then click Continue.

    Use a domain name you already own
  6. Complete the steps to verify ownership of the domain.

ImportantImportant
If you have already federated single sign-on configured, you must update the Google Apps tenant URL in your federated single ign-on configuration.

The objective of this section is to outline how to enable provisioning of Active Directory user accounts to Google Apps.

noteNote
This section assumes that you have completed the steps listed in the following sections:

  1. Enabling Google Apps API Access

  2. Adding custom domains

  1. In the Azure Management Portal, select Active Directory in the left navigation pane to open the active directory dialog page.

  2. In the directory list, select your directory to open your directory’s configuration page.

  3. Select APPLICATIONS from the top level menu.

  4. From the list of applications, select Google Apps to open the google apps configuration dialog.

  5. To open the CONFIGURE ACCOUNT SYNC dialog, click Configure account sync.

  6. On the CONFIGURE ACCOUNT SYNC dialog page, provide the Google Apps domain name, the Google Apps user name and the Google Apps password, and then click the Next button.

    Enter your Google Apps Credentials
  7. On the Confirmation dialog page, click the Complete button to close the CONFIGURE ACCOUNT SYNC dialog.

You can now create a test account, wait for 10 minutes and verify that the account has been synchronized to Google Apps.

ImportantImportant
Before testing the account, please make sure that the following is true:

  1. You have completed the steps outlined in the following section: Enabling Google Apps API Access

  2. Your test account is a member of a Google Apps verified domain.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft