Azure AD > Google Apps SSO

Question

I've using Azure Active Directory to drive SSO to Google Apps.

Following this tutorial I've completed all setup: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-google-apps-tutorial

However, when I try to login with a user I receive the following error:

AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: {GUID}. Resource value from request: . Resource app ID: {GUID}. List of valid resources from app registration: .

Google Apps SSO settings:

App Registration Required Permissions

Resultant error on login to Google Apps

Provisioning works and the SAML auth has been tested and is successful - any help is much appreciated!

Answer 1

Resolved via a really helpful call with Microsoft support - the identifier field in the SSO config has to be in the following format:

http://google.com/a/<yourdomain.com>

It failed under the following patterns:

google.com 
http://google.com
google.com/<yourdomain.com>

This tutorial helps but is ambiguous and provides 4 examples, need to try all of them for specific app.

Answer 2

I assume that this issue should be caused by invalid identifier in Google App SSO settings. It shouldn't be http://google.com/a/<yourdomain.com>. This is just a example in the documentation. It should be an unique identifier that is shared with your G-suite.

This is noted in that document:

Note

These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact Google Apps Client support team to get these values.

So, one method is contact Google Apps client support team to get the Identifier value.

The other method is using Fiddler to pick up the SAML response which includes an Audience value. It may be the Identifier value. I'm not 100% sure.

Please let me know if it helps!