SAML Access to Microsoft Office 365.

Learn how to set up SSO (single sign-on) for Microsoft Office with Google Workspace as your Identity Provider

line_right_angle
line_left_angle

The Single Sign-On (SSO) Advantage.

Google Workspace (G Suite) can help streamline your user authentication when set up as your Identity Provider (IdP) for common applications, such as Microsoft Office 365. When working in an interoperable environment, with both Google Workspace and Office 365, it’s a good idea to use Google Workspace as the single source of truth for authentication.

Users can enjoy a seamless experience by using a single username and password to access their day-to-day Google Workspace applications (Gmail, Drive, Meet, Calendar, etc.) as well as their coexisting Office 365 applications. Through this method, users can also access their Office account from the Application launcher, as shown in this image.

Administrators can find SAML applications by clicking on Apps > SAML Apps in the Google Workspace Admin Console. As soon as the SAML application has been set up, it can be turned on for everyone or for select sub-organizations. The gif below shows how Google Workspace Admins can configure this.

Office 365 System requirements

In order to enable SAML access to Office 365 using Google Workspace, certain requirements must be met on the Office 365 side. If you have questions about these requirements, please feel free to contact us and our engineers will be happy to assist you.
You do not own the default Microsoft domain (yourdomain.onmicrosoft.com), so federation cannot be set up on it

Google Workspace Supported Editions.

Below you’ll see a summary of which Google Workspace editions support SAML access with Office 365.

Workspace Edition Office 365 SAML App Auto-Provisioning
Business Starter ✔ (Only 3 SAML apps)*
Business Standard ✔ (Only 3 SAML apps)*
Business Plus ✔ (Only 3 SAML apps)*
Enterprise Essentials
Business Standard
Business Plus

*Auto-provisioning can be performed for up to 3 SAML apps for Workspace Business editions.

Office 365 Powershell Variables.

To set up federation, the following Powershell variables are required in order to securely send the SAML request to Google and parse the SAML response.

Property or Variable Name Why is it needed? Property or Variable Value
Domain Name This is the Office 365 domain name to be federated with Workspace. Domain Name
Authentication Office 365 must be informed of the desired authentication method. Federated
Federation Brand Name Descriptive value for the future reference (i.e. “Google”). Google Cloud Identity
Issuer URI Microsoft needs to know who issued the SAML response, so here is where we’ll place the Google Entity ID. Entity ID (Available in the IDP metadata that we downloaded from Google)
Active and passive logon URL This is the Identity Provider/IdP (in our case, Google) URL, which Office 365 would refer to as SSO URL. Google SSO URL (available in the IDP metadata file that we downloaded from Google)
LogOffUri This identifies where Office 365 should redirect our users when they log out. You can put any URL here. https://accounts...
Signing Certificate This is the public key provided to us by Google. Office 365 will use this to identify itself in the SAML request and to parse the SAML response. X509Certificate Value (available in the IDP metadata file that we downloaded from Google)
Preferred Authentication Protocol To specify the preferred authentication protocol. SAMLP
The above can then be added into Powershell using your Office 365 Administrator account. You can find additional information in this Admin support article from Google.

Certified Partner.

As a Google Cloud Premier Partner, we are certified by Google to assist you with any and all Google Cloud needs. For assistance with SSO (single sign-on) configuration, Google Workspace (G Suite)/Office 365 interoperability, or anything else, leave your contact information below and we’ll be happy to help.