This is an overview of how to configure Google SSO in an ADFS 3.0 environment. This guides assumes the ADFS 3.0 server environment is already operational for other apps, such as Office 365.

Please note the test ADFS environment was set up with mytester.org as the primary domain, and tester.org as a sub-domain. If you only have a single domain, then simply add the primary domain information when needed.

Summary:

  • ADFS 3.0 Configuration
    • Exporting Token-signing certificate
    • Create Relying Party Trust
    • Additional Required Configuration for Relying Trust
    • Configure Claim Rules
  • Google Domain Configuration
    • Enabling Single Sign-On for Domain
  • Testing

ADFS 3.0 Configuration

Exporting Token-signing certificate

  • Open the ADFS Management Console
  • Navigate to the following: ADFS > Services > Certificates

certificates

  • Under Token-signing, right-click the sole certificate that is installed
    • Select View Certificate…

tokensigning

  • Select the Details tab
    • Select Copy to File…

copyToFile

  • Click Next
  • Select Base-64 encoded X.509 (.CER) and click Next

Certificate

  • Browse to your preferred location to save the certificate, and give it a name of your choosing
  • Click Next
  • Click Finish
  • Click OK when “The export was successful” box appears
  • Your exported certificate should resemble:

certificate

Create Relying Party Trust

  • Open the ADFS Management Console
  • Navigate to the following: ADFS > Trust Relationships > Relying Party Trusts

relyingTrusts

  • On the right-hand side, select Add Relying Party Trust…

addTrust

  • When the wizard appears, click Start
  • Select Enter data about the relying party manually, and click Next

EnterData

  • For Display name, type: Google Apps SSO
    • For Notes, type: This is the relying party trust for Google Apps single sign-on.
    • Click Next

Name

  • Ensure AD FS profile is selected, then click Next

profile

  • Do not upload a Token encryption certificate (yes, this is important), and click Next
  • Tick Enable support for the SAML 2.0 WebSSO protocol

saml

  • In the Relying party trust identifier textbox, enter the following identifiers:
    • google.com/a/<primaryDomain>
      • Click Add
    • google.com/a/<subDomain>
      • Click Add
    • Click Next

identifiers

  • Ensure I do not want to configure multi-factor authentication […] is chosen, and click Next

1

  • Ensure Permit all users to access this relying party is selected, and click Next

2

  • Click Next, and untick Open the Edit Claim Rules […] option and click Close

3

Additional Required Configuration for Relying Trust

  • Open the ADFS Management console
  • Navigate to the following: ADFS > Trust Relationships > Relying Party Trusts
  • Right-click the Google Apps SSO trust, select Properties
  • Select the Signature tab
    • Click Add..
    • addSig
    • Browse to the exported Token-signing certificate from before, and click Opencertificate
    • Click Apply
  • Select the Endpoints tab
    • Click Add SAML…
    • addEndpoint
    • Endpoint type = SAML Logout
    • Binding = POST
    • Trusted URL = https://<adfsServer>/adfs/ls/?wa=wsignout1.0
    • Click OK, and then click Apply
    • endpoint
  • Select the Advanced tab
    • Ensure Secure Hash Algorithm is set to: SHA-256
    • Click Apply, and then click OK

hash

Configure Claim Rules

  • Open the ADFS Management Console
  • Navigate to the following: ADFS > Trust Relationships > Relying Party Trusts
  • Right-click the Google Apps SSO trust, select Edit Claim Rules…

relyingTrusts2

  • Under the Issuance Transform Rules, select Add Rule…
  • Ensure Send LDAP Attributes as Claims is selected, and click Next

ldap

  • Enter the following settings:
    • Claim Rule Name =  LDAP – E-mail as Name ID
    • Attribute Store = Active Directory
    • LDAP Attribute = E-mail Addresses
    • Outgoing Claim Type = Name ID

Rule

  • Click Finish
  • Click Apply

From here, either restart the AD FS services or reboot the server in order for the configuration to apply.

Google Domain Configuration

The final step is to configure the Google domain for accepting the single sign-on environment.

NOTE: If you do NOT want to place Single Sign On into production yet, avoid completing this step until your organization is ready to move on.

Enabling Single Sign-On for Domain

  • Login to admin.google.com with a Super Admin account
  • Click Security

security

  • Select Set up single sign-on (SSO)

setup sso1

  • Tick Setup SSO with third party identity provider

setupSSO

  • Enter the following URLs
    • Sign-in page URL = https://<adfsServer>/adfs/ls/
    • Sign-out page URL = https:// <adfsServer>/adfs/ls/?wa=wsignout1.0
    • Change password URL = https://<adfsServer>/adfs/ls/
    • Capture
  • Tick Use a domain specific issuer

2

  • For Verification Certificate, click Replace Certificate 
    • Upload a copy of the SAME token-signing certificate used in the Relying Party Trust creation for Google
  • Click Save

save

From here, users are now able to use single sign-on for their accounts whether they are in the primary or sub-domain.

NOTE: Super admin accounts will ALWAYS bypass SSO. For testing, use a test account and ensure you are re-directed to your ADFS landing page.

Advertisements