Você está na página 1de 16

5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.

0iCutsman

iCutsman
TechnologyBlog

GoogleAppsSingleSignOn(SSO)withADFS3.0

ThisisanoverviewofhowtocongureGoogleSSOinanADFS3.0environment.This
guidesassumestheADFS3.0serverenvironmentisalreadyoperationalforotherapps,suchasOce
365.

PleasenotethetestADFSenvironmentwassetupwithmytester.orgastheprimarydomain,and
tester.orgasasubdomain.Ifyouonlyhaveasingledomain,thensimplyaddtheprimarydomain
informationwhenneeded.

Summary:

ADFS3.0Conguration
ExportingTokensigningcerticate
CreateRelyingPartyTrust
AdditionalRequiredCongurationforRelyingTrust
CongureClaimRules
GoogleDomainConguration
EnablingSingleSignOnforDomain
Testing

ADFS3.0Configuration

ExportingTokensigningcertificate

OpentheADFSManagementConsole

Navigatetothefollowing:ADFS>Services>Certicates
https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 1/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

Navigatetothefollowing:ADFS>Services>Certicates

UnderTokensigning,rightclickthesolecerticatethatisinstalled
SelectViewCerticate

SelecttheDetailstab
SelectCopytoFile

ClickNext
SelectBase64encodedX.509(.CER)andclickNext

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 2/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

Browsetoyourpreferredlocationtosavethecerticate,andgiveitanameofyourchoosing
ClickNext
ClickFinish
ClickOKwhenTheexportwassuccessfulboxappears
Yourexportedcerticateshouldresemble:

CreateRelyingPartyTrust

OpentheADFSManagementConsole
Navigatetothefollowing:ADFS>TrustRelationships>RelyingPartyTrusts

Ontherighthandside,selectAddRelyingPartyTrust

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 3/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

Whenthewizardappears,clickStart
SelectEnterdataabouttherelyingpartymanually,andclickNext

ForDisplayname,type:GoogleAppsSSO
ForNotes,type:ThisistherelyingpartytrustforGoogleAppssinglesignon.
ClickNext

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 4/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

EnsureADFSproleisselected,thenclickNext

DonotuploadaTokenencryptioncerticate(yes,thisisimportant),andclickNext
TickEnablesupportfortheSAML2.0WebSSOprotocol
Enter:hps://www.google.com/a/<primaryDomain>/acs
ClickNext

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 5/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

IntheRelyingpartytrustidentiertextbox,enterthefollowingidentiers:
google.com/a/<primaryDomain>
ClickAdd
google.com/a/<subDomain>
ClickAdd
ClickNext

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 6/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

EnsureIdonotwanttoconguremultifactorauthentication[]ischosen,andclickNext

EnsurePermitalluserstoaccessthisrelyingpartyisselected,andclickNext

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 7/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

ClickNext,anduntickOpentheEditClaimRules[]optionandclickClose

AdditionalRequiredConfigurationforRelyingTrust

OpentheADFSManagementconsole
Navigatetothefollowing:ADFS>TrustRelationships>RelyingPartyTrusts
RightclicktheGoogleAppsSSOtrust,selectProperties
SelecttheSignaturetab
ClickAdd..
https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 8/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

BrowsetotheexportedTokensigningcerticatefrombefore,andclickOpen

ClickApply

SelecttheEndpointstab
ClickAddSAML

Endpointtype=SAMLLogout
Binding=POST
TrustedURL=hps://<adfsServer>/adfs/ls/?wa=wsignout1.0
ClickOK,andthenclickApply

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 9/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

SelecttheAdvancedtab
EnsureSecureHashAlgorithmissetto:SHA256
ClickApply,andthenclickOK

ConfigureClaimRules

OpentheADFSManagementConsole
Navigatetothefollowing:ADFS>TrustRelationships>RelyingPartyTrusts
RightclicktheGoogleAppsSSOtrust,selectEditClaimRules

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 10/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

UndertheIssuanceTransformRules,selectAddRule
EnsureSendLDAPAributesasClaimsisselected,andclickNext

Enterthefollowingseings:
ClaimRuleName=LDAPEmailasNameID
AributeStore=ActiveDirectory
LDAPAribute=EmailAddresses
OutgoingClaimType=NameID

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 11/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

ClickFinish
ClickApply

Fromhere,eitherrestarttheADFSservicesorreboottheserverinorderforthecongurationto
apply.

GoogleDomainConfiguration

ThenalstepistoconguretheGoogledomainforacceptingthesinglesignonenvironment.

NOTE:IfyoudoNOTwanttoplaceSingleSignOnintoproductionyet,avoidcompletingthis
stepuntilyourorganizationisreadytomoveon.

EnablingSingleSignOnforDomain

Logintoadmin.google.comwithaSuperAdminaccount
ClickSecurity

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 12/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

SelectSetupsinglesignon(SSO)

TickSetupSSOwiththirdpartyidentityprovider

EnterthefollowingURLs
SigninpageURL=hps://<adfsServer>/adfs/ls/
SignoutpageURL=hps://<adfsServer>/adfs/ls/?wa=wsignout1.0
ChangepasswordURL=hps://<adfsServer>/adfs/ls/

TickUseadomainspecicissuer

ForVericationCerticate,clickReplaceCerticate
UploadacopyoftheSAMEtokensigningcerticateusedintheRelyingPartyTrustcreation
forGoogle
ClickSave

Fromhere,usersarenowabletousesinglesignonfortheiraccountswhethertheyareinthe
https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 13/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

Fromhere,usersarenowabletousesinglesignonfortheiraccountswhethertheyareinthe
primaryorsubdomain.

NOTE:SuperadminaccountswillALWAYSbypassSSO.Fortesting,useatestaccountandensure
youareredirectedtoyourADFSlandingpage.

Advertisements
RayBanRB3449003/8G5...

7,490

RayBanRB3025I002/3FS...

vaguirre830

August6,2016
Uncategorized

11thoughtsonGoogleAppsSingleSignOn(SSO)with
ADFS3.0

1.Cli
September14,2016at10:16am

IfollowedyourexampleandIreceivetheerrorthattherelaystateismissing.
IfoundanarticleonhowtoenablerelaystateinADFS3.0butIdontknowifitisworking.
Doyouhaveanysuggestions?

vaguirre830
September14,2016at11:05am

Areyoutestingviathehp://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspxpage?Orare
youtestingbygoingtoaGooglesiteandsigningin?Iftheformer,theInitiatedSignOnpage
willalwaysdisplaythaterrorontheGoogleside.WhenIranintothatissue,Iwaspullingmy
hairoutthinkingtherewassomethingwrongwiththecong,buttestingwithaliveGoogle
pageconrmedthattheADFSprocesswasactuallyworking.Myvendorcontacts
conrmedthattherelyingstateparametererrorisnormalatthistime.

Cli
September15,2016at7:45am

FistthankyouforsavingwhathairIhaveleft.
WhatIwashopingtodowastohaveuserssigninusingWIAviaadfsandthentoGoogle
Apps.Thegoalistospeedthesigninprocessforelementarystudents.Itjusttakesthema
longtimetotypetheirusernameandgettotheassignment.
https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 14/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

longtimetotypetheirusernameandgettotheassignment.
IguessIwillhavetondanotherapproach.
Thanksagainfortheinfo.

vaguirre830
September16,2016at11:49am

Hmm,IcantconrmhowWIAwouldworksinceweareusingFormsbased
authenticationinmydistrict,buttostreamlinethesigninprocessforstudents,weare
usingsoftwarecalledClasslinkwhichprovidesaportalforstudentsandteacherstopass
theauthenticationsessiontoGoogle,Oce365,andotherapps.

Cli
September16,2016at2:20pm

Youhavebeenextremelyhelpful.Thanksagain.

2.MariusDalacu
September18,2016at11:44pm

Hi,caniusethistoenforceloginsonlyfromcertainipranges(letssayonlyfromLANnetwork,
notfromoutsideoftherm)?
Thankyou.

vaguirre830
September19,2016at7:13am

Indeedyoucan!Ifyoulookatthelastscreenshotoftheguide,thereisanoptionthatsays
NetworkMasks.InputyourpublicfacingIPherewiththeCIDRnotation,(example:x.x.x.x
/24)andGooglewillONLYenforceSSOondeviceswiththatIPrange.

3.DMS
November18,2016at2:37pm

Hello,Ihavefollowedtheabovestepsandgetthefollowingerror.Weareunabletoprocessyour
requestatthistime,pleasetryagainlateranyadvise.

vaguirre830
November18,2016at9:00pm

Hello.IcantrytohelpthebestIcan,butwithoutanyknowledgeofyourenvironment,it
wouldbediculttorecommendsomesuggestionssincethaterrorcanbemultipleissues.

Firstly,whatADaributesareyouusingfortheusersignin?

4.rcmtech
May2,2017at7:09am

Excellentguide,andstillworking!

WhyareyouusingtheLDAPaributeofEmailAddressandnotUserprincipalname?Not
https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 15/16
5/4/2017 GoogleAppsSingleSignOn(SSO)withADFS3.0iCutsman

WhyareyouusingtheLDAPaributeofEmailAddressandnotUserprincipalname?Not
sayingyourewrong,justtryingtounderstandwhyyouchosethat(e.g.isitrequiredbyGoogle,
oristhatyourchoiceandwhy)?

Also,whensigninginviaawebbrowserafterconguringthis,Igetapopupauthenticationbox.
IdontgetthatwhenIsignintoOce365(whichIvealsosetupADFSfor)thebrowserURL
justbrieychangestomyADFSserverthenseamlesslygoesbacktoOce365againandsigns
mein.IsthereanywaytomaketheauthenticationseamlessforGoogle?

vaguirre830
May3,2017at11:35am

Hello.Thankyouforthefeedback,Imgladtheguidehelpedout.

InregardstoyourquestionabouttheLDAParibute,myorganizationsimplychoseEmail
AddressastheLDAPaributeastheNameIDsinceourusersutilizetheirEmailAddressfor
SingleSignOn.SincesomeusershavedieringUPNsandEmailaddresses,weguredEmail
Addresswouldbethebestchoice.IfIremembercorrectly,youcanpasswhateveraribute
youwanttoGoogle,buttheOutgoingclaimHAStobeNameID.

Inregardstotheauthenticationprompt,Ihavenotseenthatissuespecicallysinceweutilize
FormsbasedAuthenticationandnotWindowsAuthentication.However,Iwouldcheckto
makesuretheGoogleRelyingPartyTrustdoesnothaveUsersareRequiredtoprovide
credentialseachtimeatsigninenabled.Thisseingcanbefound:ADFSManagement>
AuthenticationPolicies>PerRelyingPartyTrust>RightclicktheGoogleRelyingpartyTrust
>SelectEditCustomPrimaryAuthentication>Unchecktheseing

Hopethishelpsclarifysomeinformation.Thanks!

BLOGATWORDPRESS.COM.

UP

https://icutsman.wordpress.com/2016/08/06/googleappsandadfs/ 16/16