In order to SSO into o365 using Google we need to federate the domains. This is a requirement of o365. This is done as follows:
Ensure using below commands that Immutableid is not blank and matches UPN of every user.
# Powershell get all users with blank ImmutableID
Get-MsolUser -all | Where-Object { $_.ImmutableId -notmatch "\S" } | Select-Object UserprincipalName,ImmutableID,WhenCreated,LastDirSyncTime
#Powershell command to change users’s Immutableid which is blank, to their UPN value
Get-MsolUser -all | Where-Object { $_.ImmutableId -notmatch "\S" } | ForEach { Set-MsolUser -ObjectId $_.ObjectId -ImmutableId $_.UserPrincipalName }
# Declare variables we will use later for federating domains
$domainName = “example.com”
$Authentication = “Federated”
$FederationBrandName = “Google Cloud Identity”
$IssuerUri = "https://accounts.google.com/o/saml2?idpid=your SAML APP ID here"
$PassiveLogOnUri = “https://accounts.google.com/o/saml2/idp?idpid=your SAML APP ID here”
$ActiveLogOnUri = "https://accounts.google.com/o/saml2/idp?idpid=your SAML APP ID here"
$LogOffUri = "https://accounts.google.com/logout"
$SigningCertificate = "Certificate with no spaces obtained from Google SAML APP"
#Run the following PowerShell command IF this is the first time you are setting up federation on this domain:
Set-MsolDomainAuthentication -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP
# Get the federation settings to see if federating domains worked with above command
Get-MSolDomainFederationSettings -DomainName headstart.edu.in | Format-List *