Google Suite SSO Integration with Azure AD (IdP) via Proxy
This procedure describes how to integrate Single Sign-On (SSO) with Azure Active Directory (IdP) via Proxy.
Prerequisites
Make sure you have the following items before integrating SSO with Azure AD (IdP) via proxy:
- Admin access to Google Suite portal (https://gsuite.google.com).
- Admin access to Azure AD (IdP) portal (https://azure.microsoft.com/en-in/services/active-directory).
- Access to Skyhigh CASB tenant and existing Google Drive managed service.
- Access to functional SSO Setup between Azure AD and Google Drive/Google Suite.
Download SP Certificate
- Sign in to the G Suite admin portal to download the SP Certificate.
- Go to Security > Set up single sign-on (SSO) for SAML applications and click DOWNLOAD CERTIFICATE.
- Download the SP Certificate and save it in your local folder. The SP Certificate is used to configure the proxy in Skyhigh CASB.
Download IdP Certificate
- Sign in to the Azure AD portal to download the IdP Certificate.
- Go to Enterprise application > Google Cloud App > Single Sign-on > SAML Signing-Certificate and click Download next to Certificate (Base64).
- Download the IdP Certificate and save it in your local folder. The IdP Certificate is used to configure the proxy in Skyhigh CASB.
Configure the SSO Integration via Proxy
Perform the following steps to achieve the SSO Integration via Proxy:
Step 1: Configure Proxy in Skyhigh CASB
- Sign in to Skyhigh CASB to configure SAML setup for the existing G Drive managed service.
- To set up SAML, click managed G Drive instance and select Setup > Configure.
- Under Upload Identity Provider Certificate, upload the IdP Certificate and click Next.
- Under Provide Service Provider Certificate, upload the SP Certificate and click Next.
- Download the Proxy Certificate and save it in your local folder. The Proxy Certificate is used to configure SP in the G Suite portal.
- Go to Settings > Service Management > Proxy and under Properties add skip.saml.redirect.sig.qs.param to the G Drive Service Card and set the value as true.
Step 2: Configure SP in G Suite Portal
- Sign in to the G Suite admin portal to configure SP.
- Choose Security > Set up single sign-on (SSO) to go to the SSO page.
- Scroll to Setup SSO with the third-party identity provider and replace the Sign-in page URL using the following format:
https://www.google.com.<Skyhigh CASB Gdrive reverse proxy domain alias>/domain-access?shnsaml-request=<URL encoded version of the Azure SAML login endpoint>
For example: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/domain-access?shnsaml-request=https%3A%2F%2Flogin.microsoftonline.com%2Ffcbf8387-fe12-4fb9-a3ed-440e79fa75ee%2Fsaml2
- To upload the Proxy Certificate, click REPLACE CERTIFICATE.
- Replace the existing IdP Certificate with Proxy Certificate.
Step 3: Configure IdP in Azure AD Portal
- Sign in to Azure AD admin portal.
- Go to Enterprise application > Google Cloud App > Single Sign-on > SAML-based Sign-on.
- Click the pencil icon to edit Basic SAML Configuration and configure the following:
- Change the Reply URL (Assertion Consumer Service URL) using the format:
https://www.google.com.<proxy_URL>/a/<primary_domain>?shnsaml
for example: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/a/awesomeworks.in?shnsaml
- Change the Sign on URL using the format:
https://www.google.com.<proxy_url>/a/<primary_domain>/ServiceLogin?continue=https://drive.google.com"
for example: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/a/awesomeworks.in/ServiceLogin?continue=https://drive.google.com
- Save the Basic SAML Configuration and click Test.
- Change the Reply URL (Assertion Consumer Service URL) using the format:
NOTE: Before proxy integration, you should choose a functional SSO setup between Azure AD and G Suite. The above screenshots may vary for the user attributes and claims depending on your SSO setup.
Step 4: Validate the SSO Integration with Proxy
The SSO Integration with Proxy is completed. To verify the result of the SSO integration, perform the following activities:
- Sign in to https://apps.office.com as a non-admin user.
- Click Google Cloud application.
- You are redirected to Google Drive (or other applications as per the configuration) automatically.
NOTE: The configuration changes in Azure AD and Google Suite may take some time. So wait for 10 to 60 minutes before testing the proxy integration.