Share via

SSO to Google as IdP failed

Irvanda 116 Reputation points
2025-02-26T09:18:22.52+00:00

I have a client that uses SSO with Google as IdP and Microsoft as SP. So far SSO has been running well, but since yesterday all my client users have been unable to sign in to Microsoft applications with failed information as in the screenshot below:

Previously I created SSO using MsolService.

I tried to check the Federated domain information with MsolService Script experiencing an error:User's image I tried to connect with MgGraph and check the Federated domain also experienced an error:User's image I don't know where to start the investigation, because the PowerShell scripts for both MsolService and MgGraph are not running properly even though the account uses the Global Administrator role.

Please Advice,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,426 questions
Accepted answer
  1. Raja Pothuraju 14,990 Reputation points Microsoft Vendor
    2025-02-27T10:45:05.3166667+00:00

    Hello @Irvanda,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: SSO to Google as IdP failed

    Solution: Resolved by @Irvanda.

    Regarding the first problem of Msol and Graph script, this is because the ExecutionPolicy scope does not have "Domain.ReadWrite.All". Finally I tried using the scope "CurrentUser" the script can run well.

    For the SSO problem, I changed the AuthenticationType domain to "Managed" then I ran this script.

    https://learn.microsoft.com/en-us/education/windows/configure-aad-google-trust

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph

$domainId = "<your domain name>"

$xml = [Xml](Get-Content GoogleIDPMetadata.xml)

$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $xml.EntityDescriptor.entityID
$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$signoutUri = "https://accounts.google.com/logout"
$displayName = "Google Workspace Identity"
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

$domainAuthParams = @{
  DomainId = $domainId
  IssuerUri = $issuerUri
  DisplayName = $displayName
  ActiveSignInUri = $signinUri
  PassiveSignInUri = $signinUri
  SignOutUri = $signoutUri
  SigningCertificate = $cert
  PreferredAuthenticationProtocol = "saml"
  federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
}

New-MgDomainFederationConfiguration @domainAuthParams

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Irvanda 116 Reputation points
    2025-02-27T02:16:06.2766667+00:00

    Hi @Raja Pothuraju

    I have added the screenshot.

    I want to confirm that this case has been resolved.

    Regarding the first problem of Msol and Graph script, this is because the ExecutionPolicy scope does not have "Domain.ReadWrite.All". Finally I tried using the scope "CurrentUser" the script can run well.

    For the SSO problem, I changed the AuthenticationType domain to "Managed" then I ran this script.

    https://learn.microsoft.com/en-us/education/windows/configure-aad-google-trust

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph

$domainId = "<your domain name>"

$xml = [Xml](Get-Content GoogleIDPMetadata.xml)

$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $xml.EntityDescriptor.entityID
$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$signoutUri = "https://accounts.google.com/logout"
$displayName = "Google Workspace Identity"
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

$domainAuthParams = @{
  DomainId = $domainId
  IssuerUri = $issuerUri
  DisplayName = $displayName
  ActiveSignInUri = $signinUri
  PassiveSignInUri = $signinUri
  SignOutUri = $signoutUri
  SigningCertificate = $cert
  PreferredAuthenticationProtocol = "saml"
  federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
}

New-MgDomainFederationConfiguration @domainAuthParams
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.