Export (0) Print
Expand All

Tutorial: Azure Active Directory integration with Google Apps

Published: July 8, 2013

Updated: April 16, 2015

Applies To: Azure

TipTip
For feedback, click here.

The objective of this tutorial is to show the integration of Azure and Google Apps. The scenario outlined in this tutorial assumes that you already have the following items:

  • A valid Azure subscription

  • A test tenant in Google Apps

If you don’t have a valid tenant in Google Apps yet, you can, for example, sign up for a trial account at Google Apps for Business web site.

The scenario outlined in this tutorial consists of the following building blocks:

  1. Enabling the application integration for Google Apps

  2. Configuring single sign-on

  3. Enabling Google Apps API Access

  4. Adding custom domains

  5. Configuring user provisioning

  6. Assigning users

Scenario

The objective of this section is to outline how to enable the application integration for Google Apps.

  1. In the Azure Management Portal, on the left navigation pane, click Active Directory.

    Active Directory

  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.

    Applications

  4. Click Add at the bottom of the page.

    Add application

  5. On the What do you want to do dialog, click Add an application from the gallery.

    Add an application from gallerry

  6. In the search box, type Google Apps.

    Application gallery

  7. In the results pane, select Google Apps, and then click Complete to add the application.

    ServiceNow

The objective of this section is to outline how to enable users to authenticate to Google Apps with their account in Azure AD using federation based on the SAML protocol.

  1. In the Azure AD portal, on the Google Apps application integration page, click Configure single sign-on to open the Configure Single Sign On dialog.

    Configure single sign-on

  2. On the How would you like users to sign on to Google Apps page, select Windows Azure AD Single Sign-On, and then click Next.

    Windows Azure AD Sinfgle Sign-On

  3. On the Configure App URL page, in the Google Apps Sign In URL textbox, type the Google Apps tenant URL, and then click Next.

    noteNote
    The schema of the Google Apps tenant URL has the following format: https://mail.google.com/a/<your Google Apps domain>

  4. On the Configure single sign-on at Google Apps dialog page perform the following steps.

    Configure single sign-on

    1. Click Download certificate, and then save the certificate as c:\googleapps.cer.

    2. Open the Google Apps login page, and then sign-on.

      Google sign-on

    3. On the Admin console, click Security.

      Security

      noteNote
      If the Security icon is not visible, you should click More controls on the bottom of the page.

  5. On the Security page, click Set up single sign-on (SSO).

    Security

  6. On the Set up single sign-on page, perform the following steps:

    Set up single sign-on (SSO)

    1. Select Setup SSO with third party identity provider.

    2. On the Configure single sign-on at Google Apps page in the Azure AD Portal, copy the SINGLE SIGN-ON URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    3. On the Configure single sign-on at Google Apps page in the Azure AD Portal, copy the Single sign-out service URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    4. On the Configure single sign-on at Google Apps page in the Azure AD Portal, copy the Change password URL, and then paste it into the related textbox on the Security page in the Google Apps Admin console.

    5. Click the Choose File button to locate the Verification certificate, and then click Upload.

    6. Click Save changes.

  7. On the Azure AD portal, select the single sign-on configuration confirmation, and then click Complete to close the Configure Single Sign On dialog.

    Configure single sign-on

When integrating Azure Active Directory with Google Apps for user provisioning, you must enable API access for your tenant in Google Apps.

  1. Sing-on to your Google Apps tenant.

  2. In the Admin console, click Security.

    Security

    noteNote
    If the Security icon is not visible, click More controls at the bottom of the Admin console.

  3. On the Security page, click API reference to open the related configuration dialog page.

  4. Select Enable API access.

    Enable API access

Configuring user provisioning with Google Apps requires the Azure AD domain and the Google Apps domain to have the same fully qualified domain name (FQDN). However, when you are, for example, using trial tenants to test the scenario in this tutorial, the FQDNS of your tenants typically don’t match. To address this issue, you can configure custom domains in Azure AD and in Google Apps.
Configuring a custom domain requires access to your public domain’s DNS zone file.

Add a custom domain

  1. In the Azure Management Portal, select Active Directory in the left navigation pane to open the active directory dialog page.

  2. In the directory list, select your directory to open your directory’s configuration page.

  3. Select Domains from the top level menu.

  4. To open the Add Custom Domain dialog, click Add a custom domain.

  5. In the Domain Name textbox, type your domain name, and then click add.

    Specify a domain name

  6. Click Next to open the Verify <your domain name> dialog page.

  7. Select a Record Type, and then register the selected record in your DNS zone file.

    Verify

  8. Using the nslookup command, you should verify whether the DNS record has been successfully registered.

    Nslookup

  1. Sing-on to your Google Apps tenant.

  2. In the Admin console, click Domains.

    Domains

  3. Click Add a domain alias.

    Domains

  4. Type the name of your custom domain, and then click Continue and verify domain ownership.

    Add doman alias

  5. Complete the steps to verify ownership of the domain.

ImportantImportant
If you have already federated single sign-on configured, you must update the Google Apps tenant URL in your federated single sign-on configuration.

The objective of this section is to outline how to enable provisioning of Active Directory user accounts to Google Apps.

noteNote
Enabling automatic user provisioning will also provision any distribution groups that are assigned access to Google Apps.
Security groups, however, are not supported by Google Apps.

noteNote
This section assumes that you have completed the steps listed in the following sections:

  1. Enabling Google Apps API Access

  2. Adding custom domains

  1. In the Azure Management Portal, on the Google Apps application integration page, click Configure user provisioning to open the Configure User Provisioning dialog.

    Configure user provisioning

  2. On the Configure User Provisioning dialog, click Enable user provisioning.

    Enable user provisioning

  3. On the Sign in with your Google Account dialog, sign in using your Google Apps admin account.

    Sign in

  4. On the Azure Active Directory would like to dialog page, click Accept.

    Configure

  5. On the Configure User Provisioning dialog page, click Complete.

    Confirm

To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.

  1. In the Azure AD portal, create a test account.

  2. On the Google Apps application integration page, click Assign users.

    Assign users

  3. Select your test user, click Assign, and then click Yes to confirm your assignment.

    Yes

You should now wait for 10 minutes and verify that the account has been synchronized to Google Apps.

ImportantImportant
Before testing the account, please make sure that the following is true:

  1. You have completed the steps outlined in the following section: Enabling Google Apps API Access

  2. Your test account is a member of a Google Apps verified domain.

If you want to test your single sign-on settings, open the Access Panel. For more details about the Access Panel, see Introduction to the Access Panel.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft