The Google for Education Community Platform

Tank · ‎08-11-2023

Does anyone have any guides or instructions on how to set this up properly? We have Clever SAML set up for our K-2 students that use the badge reader option to sign into Google. All the instructions I can find for setting up Google to use MS as a login are not additional profiles, but the master profile, and perhaps that's my hang-up?

We have MFA turned on for select users right now as we want to move to MS and get MFA working there as the primary MFA source.

When I set up an IdP profile in Google, and tie it to the Enterprise App in Azure - my test user gets the error AADSTS700016 - that my identifier was not found in my company. The value it gives me on that screen doesn't match any settings in Google or Microsoft that I've set up - so I'm not sure where that value exists or how to correct it, or what value to correct it with.

So I'm looking for anyone who already has this set up and working to pick your brain and possibly share details for others who might be interested in getting this going for their district as well.

The guide I was following from MS was this one: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

That guide does not mention the error value I'm getting when I try to sign in with my test account.

Secondary to this topic - will this work for Macs and Chromebooks, or only domain-joined PCs? I seem to get an error on a Mac that it's not a domain joined PC when I access the test login screen.

slvandewalle_gb · ‎08-11-2023

We have our staff using the MS IdP and we have another one setup to use login cards (ours are thorough ClassLink). I am by no means an expert but have worked though moving a few of our apps to using SSO with Microsoft Azure.

We have MS set as the SSO profile for the organization and then have a second one setup for ClassLink. We apply the MS profile to a group and then the ClassLink one to another group.

When a users that has a profile configured logs into a chromebook it will push them to the login workflow that is configured for them. Those users will see this whenever they login to their Google account.

I think that error you are seeing is saying that it isn't matching the user from Google to Azure / MS.

See what attributes and claims are set on the enterprise app single sign-on screen in Azure. In particular check to see what field holds the email address for your users in azure. We have this (user.userprincipalname) set as the unique user identifier. I believe this is what needs to match the email on the google side.
Confirm the URLS are set correctly on the profile in Google

Hope this helps!

Tank · ‎08-13-2023

Yes the defaults came with user.userprincipalname as the unique identifier. I haven't had to change that - mail is set to user.mail which I presume should be accurate too. I'm sure the UID is the big one for users to match between systems and I suspect that should be correct.

My URLs in the google SSO IDP area is set to the MS defaults per the learn article and it hasn't said to use the Entity ID page at all on Google. I've made that change - but since I am on a Mac, I still get the "Sign-in failed" page with error "AADSTS9001011" since my Mac is not domain joined - is that some setting I have incorrect that's requiring domain joined devices - as our macs and chromebooks are not domain joined at all.

ARGH - conditional access was set up for domain only machines. I temp disabled that for testing - but it still presents the error - assuming this is a Microsoft 48 hour wait ordeal. Will respond back if it's still an issue after 2 days. #ThanksMicrosoft

The Google for Education Community Platform

Need advice - how to set up Google sign-on to use Microsoft IdP and MFA from MS?