In order to SSO into o365 using Google we need to federate the domains. This is a requirement of o365. This is done as follows:
Ensure using below commands that Immutableid is not blank and matches UPN of every user.
# Powershell get all users with blank ImmutableID
Get-MsolUser -all | Where-Object { $_.ImmutableId -notmatch "\S" } | Select-Object UserprincipalName,ImmutableID,WhenCreated,LastDirSyncTime
#Powershell command to change users’s Immutableid which is blank, to their UPN value
Get-MsolUser -all | Where-Object { $_.ImmutableId -notmatch "\S" } | ForEach { Set-MsolUser -ObjectId $_.ObjectId -ImmutableId $_.UserPrincipalName }
# Declare variables we will use later for federating domains
$domainName = “example.com”
$Authentication = “Federated”
$FederationBrandName = “Google Cloud Identity”
$IssuerUri = "https://accounts.google.com/o/saml2?idpid=your SAML APP ID here"
$PassiveLogOnUri = “https://accounts.google.com/o/saml2/idp?idpid=your SAML APP ID here”
$ActiveLogOnUri = "https://accounts.google.com/o/saml2/idp?idpid=your SAML APP ID here"
$LogOffUri = "https://accounts.google.com/logout"
$SigningCertificate = "Certificate with no spaces obtained from Google SAML APP"
#Run the following PowerShell command IF this is the first time you are setting up federation on this domain:
Set-MsolDomainAuthentication -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP
# Get the federation settings to see if federating domains worked with above command
Get-MSolDomainFederationSettings -DomainName headstart.edu.in | Format-List *
Recently, my Google provided certificate for the SAML expired and SSO into office.com was not working because of malformed certificate. The solution was to regenerate the certificate by adding a new one. The old one gets deleted automatically. The next trick is to reset the certificate in the federeration – for this I had to run the cmdlet as shown below. The $SigningCertificate variable had to reinitiated by copy paste into the terminal before running the cmdlet.
Set-MsolDomainFederationSettings -DomainName $domainName -SigningCertificate $signingCertificate -PreferredAuthenticationProtocol “SAMLP”
The last wrinkle was that MS365 had enabled security defaults so all had to get 2FA. This defeats the purSSO. So I had to disable the Azure AD security defaults using the this procedure. Give some time for all this to ripple through and the next SSO should work like a charm!