Federating o365 with Google

In order to SSO into o365 using Google we need to federate the domains.  This is a requirement of o365. This is done as follows:

Ensure using below commands that Immutableid is not blank and matches UPN of every user.

# Powershell get all users with blank ImmutableID

Get-MsolUser -all | Where-Object {  $_.ImmutableId -notmatch "\S" } | Select-Object UserprincipalName,ImmutableID,WhenCreated,LastDirSyncTime

#Powershell command to change  users’s Immutableid which is blank, to their UPN value

Get-MsolUser -all | Where-Object {  $_.ImmutableId -notmatch "\S" } | ForEach { Set-MsolUser -ObjectId $_.ObjectId -ImmutableId $_.UserPrincipalName }

# Declare variables we will use later for federating domains

$domainName = “example.com”

$Authentication = “Federated”

$FederationBrandName = “Google Cloud Identity”

$IssuerUri = "https://accounts.google.com/o/saml2?idpid=your SAML APP ID here"

$PassiveLogOnUri = “https://accounts.google.com/o/saml2/idp?idpid=your SAML APP ID here

$ActiveLogOnUri =   "https://accounts.google.com/o/saml2/idp?idpid=your SAML APP ID here"

$LogOffUri = "https://accounts.google.com/logout"

$SigningCertificate = "Certificate with no spaces obtained from Google SAML APP"

#Run the following PowerShell command IF this is the first time you are setting up federation on this domain:

Set-MsolDomainAuthentication -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP

# Get the federation settings to see if federating domains worked with above command
Get-MSolDomainFederationSettings -DomainName headstart.edu.in | Format-List *


Posted in Office 365 Education and tagged , .