Azure AD to GSPS | C2C Community

Azure AD to GSPS


Userlevel 1

Hello All. Appreciate if someone can provide guidance on this.

We want to create a coexistence in such a way that Office 365 users are Provisioned in Google Workspace as a Cloud Identity licenses. Office 365 domain could be registered as a Primary domain or a Secondary domain in existing Google Workspace entity.

For User Provisioning - We would be using GCDS, by authorising it on Office 365 On-Prem AD with Google Workspace SA credentials.

For User Password Sync - We understand, password changed on On-Prem AD can be synced to Google Workspace via GSPS, BUT can it also sync the password if Office 365 user changes the password from Office 365 web browser login or Azure Admin changes it.

There is an option in Azure to do a password write back to on Prem AD - https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback.

Went through the documentation of GSPS where details are mentioned with respect to active directory password change event. Curious to understand does it sync password from Azure AD tenant that is connected to an On-premise AD. 

Thanks, Kevin


10 replies

Userlevel 4
Badge +6

If I read this correctly, I see that you have Azure Active Directory synced with on-prem active directory. I am going to continue with this assumption.

It is going to be easier, probably saver, and less hassle to federate Google Cloud Identity into Azure Active Directory via SAML. In this case you only have to worry about the password sync from on-prem to Azure rather than also worry about the sync from there to Google. 

Userlevel 1

Thanks @dominikkugelmann for your input. If I understood this correctly, GSPS will take care of password sync which is changed from Azure (synced with On-Prem AD), the parameter of Azure AD to On-Prem password sync will be taken care through “Password write back feature”, otherwise i’ll make myself more brief.

 

abc.com (Azure AD domain synced with On-Prem AD)

xyz.com (Google Workspace - GW) 

 

Scenario 1: To provision abc.com as Cloud Identity Free (CIF) users under xyz.com as a Secondary domain. 

 

GCDS - User Provisioning

GSPS - Password Sync 

Both tools installed on abc.com On Prem AD with xyz.com GW Super Admin authorization

 

Scenario 2: Register abc.com as a separate Google Workspace - CIF instance. 

 

GCDS - User Provisioning

GSPS - Password Sync 

Both tools installed on abc.com On Prem AD with abc.com GW Super Admin authorization

 

If I am not wrong, SAML connectivity would come in picture if we are using “G suite connector on Azure AD (To provision Azure users to GW, but here password doesn’t get sync), here we are trying to make source of authentication as following:

 

User Sync flow: abc.com Azure AD > abc.com On Prem AD > xyz.com GCDS > xyz. Google Workspace. 

Password Sync flow: Azure AD > Password writeback > On Prem AD > GSPS > Google Workspace. 

 

Thanks. 

Userlevel 2
Badge +1

I understand the technical aspect of it, but may you also put some light on the business use case here?

1. Why do you want to sync passwords if you plan to leverage SAML for AuthN?

2. Do you already have all identities in Azure AD? If yes, why do you want to not leverage Azure as centralized IdP for provisioning and SSO then writing back passwords to local AD and then sync them to Google?

 

If different domain in Azure vs Google is a concern, then you may consider transforming attributes in Azure's Google connector, so when Azure makes Directory API call to Google for provisioning, or send SAML assertion for authentication, then it should send transformed attribute (e.g user@azuredomain.com TO azure@googledomain.com).

Here is a video to understand it conceptually 

 

and here is a video showing how to do that in Azure https://sc.goldyarora.com/04uPm5Oz

Userlevel 1

Thank you @Goldyarora for your insights. 

Business Use case is Collaboration between 2 different organisations for few months. We are thinking to use Cloud Identity Free edition for the Collaboration.

Requirements:

  1. To enable Collaboration between Office 365 users (o365domain.com) & Google Workspace users (googledomain.com).
  2. o365domain.com users on their Outlook mailbox should be able to lookup googledomain.com directory contacts.
  3. googledomain.com users on their Google mailbox should be able to lookup o365domain.com directory contacts. 

Technical Landscape:

  • googledomain.com has it’s IdP on Google and it can’t be changed.
  • googledomain.com has multiple Secondary domains, one of it would be o365domain.com, so azure & google domain would be same. (Requirement no. 3 would be achieved).
  • googledomain.com & o365domain.com has their separate Azure & Active directories. 

What is tried so far:

  • Configured Azure AD G Suite connector to provision users on Google Workspace with correct OU Mapping where Auto Assignment of Cloud Identity is OFF, unfortunately password didn’t sync due to absence of attribute so, an Apps Script which set a default password on Google side for o365domain.com Cloud Identity accounts might solve the purpose, but again they will have to Non Admin password recovery feature to reset the password and would have separate passwords for o365domain.com (Outlook) & googledomain.com (Cloud Identity). 
  • Partial SSO (NewSAML) Beta is expired, if that is available and feasible then I think we can achieve federated with Azure IdP on a particular Org Unit of Google sign in out without installing GCDS & GSPS on o365domain.com environment. 
  • In process to try, GCDS & GSPS sync on o365domain.com AD.

Request you to find diagram for better understanding.

https://ibb.co/m5R4TyC

 Thanks in advance!

@Abhishek Mehta

 

Userlevel 2
Badge +1

Thank you.

Why do you want to use GSPS as it doesn't help in any of your 3 requirements?

Also, have you considered following as they would meet your 3 requirements?

1. Readymade solution to sync GALs such as https://cloudiway.com/products/galsync/

OR

2. Have GCDS in place to (only) sync MS GAL to Google shared contacts and have it run once a day, and also script MS contact/graph API to do the same to sync Google shared contacts to MS GAL (may be an apps script with a daily time trigger)?

 

I didn't completely understand the authentication requirement yet, would these be same set of users in both environments?

It might be early to suggest this based on limited understanding of authentication requirement, but have you considered other way (e.g using Google as IdP for both Google and o365 users where you only assign O365 SAML app to required users)?

https://www.goldyarora.com/g-suite-to-office-365-sso/

 

 

Userlevel 1

Thank you @Goldyarora for your reply. 

Let’s consider an example: 

  1. goldy@o365domain.com is a User on Office 365 platform.
  2. Now, goldy@o365domain.com would also require a similar naming convention account with Google Cloud Identity SKU to Collaborate with kevin@googledomain.com. (for Drive, Meet & looking up Google directory)
  3. o365domain.com would also be registered a Google Workspace Secondary domain.
  4. At this stage, Goldy has 2 accounts a) Office 365 platform b) Google Workspace platform
  5. This is only a Collaboration mode, so Mail architecture is out of picture. 

How to Provision goldy@o365domain.com as a Google Cloud Identity account? (Office 365 to Google Workspace provisioning)

  • User Provision - a) GCDS (Method 1 - Diagram) b) Azure G Suite Connector (Method 2 - Diagram).
  • Password Sync - This would be Goldy’s Office 365 platform password, so that’s why we are thinking to use GSPS as a middle-layer between Azure AD & Google Workspace. We could have used Azure G Suite Connector (Office 365 to Google Workspace provisioning), but it doesn’t Sync password.

Could Partial SSO (newSAML) would be a better option than using GCDS & GSPS, it might better because goldy’s Office 365 account wouldn’t need to do a separate sign-in on Google since it would be Azure IdP in Google’s SSO settings of googledomain.com on OU level and goldy’s Google account can be provisioned via Azure G Suite connector. 

 

I’ll have a look at GAL sync recommendation.

Hope it clarifies. 

Thanks.

@Abhishek Mehta 

 

Userlevel 2
Badge +1

Understood.

For GAL, consider the previous message.

For Provisioning, consider Azure AD connector.

For Authentication, please send me a private message with your official email, I believe you are a Google partner?

Userlevel 1

Sure, thank you @Goldyarora.

Hi,

If I’m understanding the above situation correctly:

  1. You can use your local AD with AzureAD connect to provision your users to AzureAD.
  2. You could use GCDS to provision the same users from local AD to Workspace but a setup with AzureAD to Google Workspace user provisioning would be better
  3. Passwords changed in Google will also be written back to AzureAD
  4. AzureAD user passwords will be written back to local AD.

Is this correct?

Kindest regards

Userlevel 2
Badge +1

#1 : Yes.

 

#2 : Yes (There are a few differences between GCDS and Azure Google connector (GCDS has more capabilities, but unless you really those, you should rather consider going with Azure Google connector as thats the point of using “centralized” IdP).

 

#3 : No (I am not sure if there is any recent development by Microsoft here, but they don’t write back password change in Google to Azure).

It won’t make much sense either, as Azure is acting as IdP, so its better users change their passwords in Azure.

 

#4 : Yes.

 

Above scenario was well suited for Partial SSO (new functionality in Google Workspace), more information and demo here. https://www.goldyarora.com/partial-sso/

 

Reply