Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Google Suite SSO Integration with Azure AD (IdP) via Proxy

This procedure describes how to integrate Single Sign-On (SSO) with Azure Active Directory (IdP) via Proxy.

Prerequisites 

Make sure you have the following items before integrating SSO with Azure AD (IdP) via proxy:

Download SP Certificate

  1. Sign in to the G Suite admin portal to download the SP Certificate.
  2. Go to Security > Set up single sign-on (SSO) for SAML applications and click DOWNLOAD CERTIFICATE.
    clipboard_e3092585ef7b888ff5d01f6585cc4a31d.png
  3. Download the SP Certificate and save it in your local folder. The SP Certificate is used to configure the proxy in Skyhigh CASB.

Download IdP Certificate

  1. Sign in to the Azure AD portal to download the IdP Certificate.
  2. Go to Enterprise application > Google Cloud App > Single Sign-on > SAML Signing-Certificate and click Download next to Certificate (Base64).
    clipboard_e272699cd1ab11a3c1b85c1787ad8fa20.png
  3. Download the IdP Certificate and save it in your local folder. The IdP Certificate is used to configure the proxy in Skyhigh CASB.

Configure the SSO Integration via Proxy

Perform the following steps to achieve the SSO Integration via Proxy:

Step 1: Configure Proxy in Skyhigh CASB

  1. Sign in to Skyhigh CASB to configure SAML setup for the existing G Drive managed service.
  2. To set up SAML, click managed G Drive instance and select Setup > Configure.
  3. Under Upload Identity Provider Certificate, upload the IdP Certificate and click Next.
  4. Under Provide Service Provider Certificate, upload the SP Certificate and click Next.
  5. Download the Proxy Certificate and save it in your local folder. The Proxy Certificate is used to configure SP in the G Suite portal.
  6. Go to Settings > Service Management > Proxy and under Properties add skip.saml.redirect.sig.qs.param to the G Drive Service Card and set the value as true.

Step 2: Configure SP in G Suite Portal 

  1. Sign in to the G Suite admin portal to configure SP.
  2. Choose Security > Set up single sign-on (SSO) to go to the SSO page.
  3. Scroll to Setup SSO with the third-party identity provider and replace the Sign-in page URL using the following format:

    https://www.google.com.<Skyhigh CASB Gdrive reverse proxy domain alias>/domain-access?shnsaml-request=<URL encoded version of the Azure SAML login endpoint>

    For example: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/domain-access?shnsaml-request=https%3A%2F%2Flogin.microsoftonline.com%2Ffcbf8387-fe12-4fb9-a3ed-440e79fa75ee%2Fsaml2
     
  4. To upload the Proxy Certificateclick REPLACE CERTIFICATE.
  5. Replace the existing IdP Certificate with Proxy Certificate.
    clipboard_e8ec2a904cae7ee8ef1edebb22ade6eca.png

Step 3: Configure IdP in Azure AD Portal

  1. Sign in to Azure AD admin portal.
  2. Go to Enterprise application > Google Cloud App > Single Sign-on > SAML-based Sign-on.
  3. Click the pencil icon to edit Basic SAML Configuration and configure the following:
    • Change the Reply URL (Assertion Consumer Service URL) using the format:

      https://www.google.com.<proxy_URL>/a/<primary_domain>?shnsaml

      for example: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/a/awesomeworks.in?shnsaml
       
    • Change the Sign on URL using the format:

      https://www.google.com.<proxy_url>/a/<primary_domain>/ServiceLogin?continue=https://drive.google.com"

      for example: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/a/awesomeworks.in/ServiceLogin?continue=https://drive.google.com

      clipboard_e81b733a7b1b239ee1fdcb5edc018ed08.png
    • Save the Basic SAML Configuration and click Test.
      clipboard_eeaf2569ba358f2dd03e5e9341be4d271.png

NOTE: Before proxy integration, you should choose a functional SSO setup between Azure AD and G Suite. The above screenshots may vary for the user attributes and claims depending on your SSO setup.

Step 4: Validate the SSO Integration with Proxy 

The SSO Integration with Proxy is completed. To verify the result of the SSO integration, perform the following activities:

  1. Sign in to https://apps.office.com as a non-admin user.
  2. Click Google Cloud application.
    clipboard_e144de927b82ed4ce0df1ac4705e171b1.png
  3. You are redirected to Google Drive (or other applications as per the configuration) automatically.
    clipboard_ea584072fa82b1bb47b697e36e30c4106.png

NOTE: The configuration changes in Azure AD and Google Suite may take some time. So wait for 10 to 60 minutes before testing the proxy integration. 

  • Was this article helpful?