This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

New Microsoft OIDC (Beta) SSO profile

ckutzan
New Contributor II

‎06-23-2023 06:50 AM

Hi all!

Happy to be here in our new location!

We have been wanting for a while to configure our Google Workspace to using Azure AD as it's IdP to allow our staff/students to sign in with their M365 accounts (pretty much everything else in our district already uses Azure AD with SSO).

Put it off for quite a while and was preparing to do the ol SAML song and dance but noticed there is now a preconfigured Microsoft OIDC SSO profile option listed (tagged BETA still).  No certs/shared secrets to have to worry about renewing, and for creation just had to approve the Azure AD Enterprise Application it wanted to create and bam seems to be working for a test OU without issues.  

Also on our old forums I remember reading about an issue with SAML SSO setup where users were able to bypass the SSO IdP and login with Google via Chromebooks (bottom right). With OIDC here I don't see that issue either.

Just wondering if anyone else has used/tested this yet and any thoughts or "gotchas" I should be on the lookout for.  

Cloud Systems Analyst
Elk Island Public School District
Alberta, Canada
Topics:
Reply
4 REPLIES 4

dochxp
Contributor

‎06-25-2023 02:16 AM

I have not seen this yet but will be looking into it. We use the 'old' SSO IdP option at the moment. 

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎06-26-2023 04:28 AM

Interesting, @ckutzan - So this version of SSO doesn't seem to suffer from that circumvent issue you referred to? Also easier to implement. Sounds like a win-win! 🙂

How much data are you getting over from M/O365? Enough to use as base for dynamic groups and/or OU placement, or will that have to be done solely on the Workspace side?

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

ckutzan
New Contributor II
In response to Kim_Nilsson

‎06-26-2023 06:58 AM

Only delegated permissions this pre-baked OIDC profile requested from Azure AD was:

ckutzan_0-1687787715150.png

Perfectly fine for us as our two platforms are already synced via GCDS for OU/users/groups. We just needed SSO.

No issues so far, actually think we are going to apply to our central office users over the summer and maybe roll out divisionally around fall if all goes well.

Cloud Systems Analyst
Elk Island Public School District
Alberta, Canada
Reply

dochxp
Contributor

‎06-29-2023 12:56 AM

It works like a dream!!! 😁

 

Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines