Writing this as just had a complete nightmare trying to configure Azure AD as the Single Sign On Identity Provider for G-Suite NonProfit at one point, I was told by G-Suite support that to use an external IDP with NonProfit G-Suite and I would need to upgrade all 350 (free of charge) users to the Basic business version at $5/Month each.
I don’t want to be to hard on G-Suite and Google, they are after all supporting the work of Charities by donating licences, however, finding out the correct information was far more complex than it needed to be.
My Client (a Not for Profit with around 350 users) has invested a great deal of time and effort in the Office365 EcoSystem including SharePoint, Exchange, OneDrive etc. Currently they have a hybrid On premise and cloud Active Directory Environment and they plan to increase their use of Office365 and Dynamics365 as part of a Digital Transformation Journey.
They have no intention of jumping ship into the G-Suite ecosystem, however, they are interested in using Chromebooks as low cost internet access devices. To do this they required a G-Suite account, Chromebook management licences and then to allow easy multi user access to the ChromeBooks by end users, some sort of synchronisation between Active Directory and G-Suite.
Having looked at the Google apps for Domain Controllers (clunky) and as there is an intention to move to a fully cloud based AD environment, it was decided to set up Azure AD as the IDP for G-Suite.
What I Did
In the main I simply followed Microsoft’s instructions that can be found at this link (no bodges or rocket science here!)
These are fine, you just need to follow them carefully and the sync will work. However an issues arise at step 4.
4. On the G Suite Domain and URLs section, if you want to configure for the Google Cloud Platform perform the following steps:
In the Sign-on URL textbox, type a URL URL using the following pattern: https://www.google.com/a/<yourdomain.com>/ServiceLogin?continue=https://console.cloud.google.com
In the Identifiertextbox, type a URL using the following pattern:
These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact G Suite Client support team to get these values.
The examples given for the Sign in URL are incorrect, and if you contact the “G Suite Client support team” as a NonProfit user you will be told using an external IDP is not possible, so they will not/ can not give you the correct URL’s for your G-Suite domain.
The settings that worked for us in the UK, found after a great deal of Googling, and a lot of trial and error are :-
Sign On URL :-
Follow the rest of the instructions (to the letter!) and hopefully you will end up with a working environment where you can sign into G-Suite using your AD credentials.
I don’t offer any warranty with this, but it might help somebody!