Google Apps and Active Directory Federation Services
I thought i’d share a few of the extermely important details in regards to getting Google Apps to authenticate with an in house ADFS instance. The procedure and documentation provided by Google appears to make this a fairly simple process. Well if you’ve attempted to set this up and you’ve found this post via Google then I assume you to are having difficulties. Here are a few notes to help anyone out there that may be having issues.
As a high level overview the steps go like this:
Install ADFS 2.0, do not install via Roles as this will install the prior version which means you’ll need to download from here: http://www.microsoft.com/en-us/download/details.aspx?id=10909
After ADFS has been installed launch the Add Trusted Rely Party Wizard
Select “Start” to start the configuration of the Relying Party Trust.
Select “Enter data about relying party manually” and click Next.
Enter a Display name and click Next. For example, Google Apps your_domain
Select “AD FS 2.0 profile” and click Next.
Select “Enable support for SAML 2.0 WebSSO protocol” and enter “https://www.google.com/a/your_domain/acs” as the “Relying party SAML 2.0 SSO service URL” and click Next.
In the “Relying party trust identifier” field, add “google.com/a/your_domain.com” and any secondary domains (e.g., google.com/a/your_secondarydomain.com) used in the Google Apps account as the relying trust identifiers, and click Next.
Select “Permit all users to access this relying party” and click Next.
Click Close, and Check “Open the Edit Claim Rules for this relying party trust” when the wizard closes.
Under Edit Claim Rules click add claim
Select the template “Send LDAP attributes as Claims” and click Next.
Define a “Claim rule name” to identify the this claim for future references.
Attribute store should be “Active Directory”.
“Mapping of LDAP attributes to Outgoing Claim types” should be defined as
LDAP Attribute “Email-Addresses”
Outgoing Claim Type as “Name ID”
Note: In a Google Apps Multi-Domain Management configuration, the LDAP attribute must be the full SMTP address (email@example.com). The full SMTP address is required so that Google Apps can uniquely identify which domain in the Multi-Domain Organization contains the user’s primary account. Click Finish and OK.
Create a self signed certificate to replace the Token Signing Certificate
Add this certificate to the signature tab by launching ADFS and right clicking on the relying party trust that was setup earlier. While this dialog is open check the Encryption Tab and be sure there is no encryption certificate. If there is you will not be able to authenticate properly.
These last steps are also cruicial.
Navigate to the Machine Keys folder and be sure that NETWORK and SERVICE both have full access to this folder
Open MMC and add the certificates snap in
Choose local computer and then pick computer account
Under the Certificate Personal Store right click the token signing certificate, go to all tasks and select manage private keys, make sure NETWORK and SERVICE have full access.
Next Disable Integrated Windows Authentication by navigating to c:\inetpub\adfs\ls and edit the web.config file
Under the “<localAuthenticationTypes>” section, comment out or delete the integrated option which reads “<add name=”Integrated” page=”auth/integrated/” />”
Last but not least under IIS edit the bindings for HTTPS and assign the token signing certificate
I’ve excluded the steps to setup and enable SSO in Google Apps, that peice seems pretty self explanatory. Just be sure you export the Token Signing Certificate and upload this to the SSO settings page. Please make sure ports 80 and 443 are forwarded to your internal ADFS server if it’s behind a firewall. I welcome any questions or comments.