This is an overview of how to configure Google SSO in an ADFS 3.0 environment. This guides assumes the ADFS 3.0 server environment is already operational for other apps, such as Office 365.

Please note the test ADFS environment was set up with mytester.org as the primary domain, and tester.org as a sub-domain. If you only have a single domain, then simply add the primary domain information when needed.

Summary:

ADFS 3.0 Configuration Exporting Token-signing certificate Create Relying Party Trust Additional Required Configuration for Relying Trust Configure Claim Rules

Google Domain Configuration Enabling Single Sign-On for Domain

Testing

ADFS 3.0 Configuration

Exporting Token-signing certificate

Open the ADFS Management Console

Navigate to the following: ADFS > Services > Certificates

Under Token-signing, right-click the sole certificate that is installed Select View Certificate…



Select the Details tab Select Copy to File…

tab

Click Next

Select Base-64 encoded X.509 (.CER) and click Next

Browse to your preferred location to save the certificate, and give it a name of your choosing

Click Next

Click Finish

Click OK when “The export was successful” box appears

when “The export was successful” box appears Your exported certificate should resemble:

Create Relying Party Trust

Open the ADFS Management Console

Navigate to the following: ADFS > Trust Relationships > Relying Party Trusts

On the right-hand side, select Add Relying Party Trust…

When the wizard appears, click Start

Select Enter data about the relying party manually, and click Next

For Display name , type: Google Apps SSO For Notes , type: This is the relying party trust for Google Apps single sign-on. Click Next

, type: Google Apps SSO

Ensure AD FS profile is selected, then click Next

Do not upload a Token encryption certificate (yes, this is important), and click Next

Tick Enable support for the SAML 2.0 WebSSO protocol Enter: https://www.google.com/a/ <primaryDomain> /acs Click Next



In the Relying party trust identifier textbox, enter the following identifiers: google.com/a/ <primaryDomain> Click Add google.com/a/ <subDomain> Click Add Click Next



Ensure I do not want to configure multi-factor authentication […] is chosen, and click Next

Ensure Permit all users to access this relying party is selected, and click Next

Click Next, and untick Open the Edit Claim Rules […] option and click Close

Additional Required Configuration for Relying Trust

Open the ADFS Management console

Navigate to the following: ADFS > Trust Relationships > Relying Party Trusts

> > Right-click the Google Apps SSO trust, select Properties

trust, select Properties Select the Signature tab Click Add.. Browse to the exported Token-signing certificate from before, and click Open Click Apply

tab

Select the Endpoints tab Click Add SAML… Endpoint type = SAML Logout Binding = POST Trusted URL = https:// <adfsServer> /adfs/ls/?wa=wsignout1.0 Click OK , and then click Apply

tab Select the Advanced tab Ensure Secure Hash Algorithm is set to: SHA-256 Click Apply , and then click OK

tab

Configure Claim Rules

Open the ADFS Management Console

Navigate to the following: ADFS > Trust Relationships > Relying Party Trusts

> > Right-click the Google Apps SSO trust, select Edit Claim Rules…

Under the Issuance Transform Rules, select Add Rule…

Ensure Send LDAP Attributes as Claims is selected, and click Next

Enter the following settings: Claim Rule Name = LDAP – E-mail as Name ID Attribute Store = Active Directory LDAP Attribute = E-mail Addresses Outgoing Claim Type = Name ID



Click Finish

Click Apply

From here, either restart the AD FS services or reboot the server in order for the configuration to apply.

Google Domain Configuration

The final step is to configure the Google domain for accepting the single sign-on environment.

NOTE: If you do NOT want to place Single Sign On into production yet, avoid completing this step until your organization is ready to move on.

Enabling Single Sign-On for Domain

Login to admin.google.com with a Super Admin account

with a Super Admin account Click Security

Select Set up single sign-on (SSO)

Tick Setup SSO with third party identity provider

Enter the following URLs Sign-in page URL = https:// <adfsServer> /adfs/ls/ Sign-out page URL = https:// <adfsServer> /adfs/ls/?wa=wsignout1.0 Change password URL = https:// <adfsServer> /adfs/ls/

Tick Use a domain specific issuer

For Verification Certificate, click Replace Certificate Upload a copy of the SAME token-signing certificate used in the Relying Party Trust creation for Google

Click Save

From here, users are now able to use single sign-on for their accounts whether they are in the primary or sub-domain.

NOTE: Super admin accounts will ALWAYS bypass SSO. For testing, use a test account and ensure you are re-directed to your ADFS landing page.