The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Issues with AzureAD and G-Suite SSO RRS feed

  • Question

  • Hello

    I have configured G-Suite SSO integration as documented here https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

    I have a test account in AzureAD and Google with matching details and this user has been granted permission to the G-Suite app in AzureAD

    However when I try to sign into a Google service, after entering the user name and password into the Microsoft landing page I am greeted with this error:

    Sorry, but we’re having trouble signing you in.

    AADSTS65005: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: 01303a13-8322-4e06-bee5-80d612907131.
    Request Id: 496b2797-5bde-453a-8586-42a67d4b5101
    Correlation Id: 7829fb5d-97be-4f49-9d7b-8fd295d7b8b7
    Timestamp: 2018-10-17T19:16:42Z
    Message: AADSTS65005: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: 01303a13-8322-4e06-bee5-80d612907131.
    Advanced diagnostics: Disable
    If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

    I've tried going to App registrations > G-Suite > Settings > Required Permissions and clicking Grant permissions as recommend in another troublehsooting post but that has not worked.



    Any ideas? Thanks


    • Edited by Arthur87 Wednesday, October 17, 2018 7:31 PM
    Wednesday, October 17, 2018 7:31 PM

Answers

  • Hello again

    I managed to resolve the issue by following the debuging steps outlined here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-v1-debug-saml-sso-issues

    I had to update the Azure App Identifier from Identifier: http://google.com/a/<our.domain> to google.com/a/<our.domain>

    • Marked as answer by Arthur87 Monday, October 22, 2018 9:33 PM
    Monday, October 22, 2018 9:33 PM

All replies

  • Can you please compare the "Sign-on URL" and the "Identifier" text box values if domain name is added correctly ? Also, can you check if you are getting any logs at G Suite end.

    Thursday, October 18, 2018 12:33 AM
  • Hi

    The URL's look good as far as I can tell. In Azure:

    Sign in URL: https://www.google.com/a/<our.domain>/ServiceLogin?continue=https://mail.google.com

    Identifier: http://google.com/a/<our.domain>

    In google:

    Sign in URL: https://login.microsoftonline.com/<directory ID>/saml2

    Sign out URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

    Change password URL: https://account.activedirectory.windowsazure.com/changepassword.aspx

    There doesn't appear to be any logs at the Google end

    Thursday, October 18, 2018 1:00 AM
  • Does anyone have a clue as how to fix this??
    Monday, October 22, 2018 7:51 PM
  • Can you please check if the Microsoft Azure AD application is enabled in your Azure AD tenant. If  not,  enable the application with the application identifier 00000002-0000-0000-c000-000000000000.



    Monday, October 22, 2018 8:33 PM
  • Hi. I've just checked and this is enabled for user sign in as shown in your picture.
    Monday, October 22, 2018 8:40 PM
  • Hello again

    I managed to resolve the issue by following the debuging steps outlined here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-v1-debug-saml-sso-issues

    I had to update the Azure App Identifier from Identifier: http://google.com/a/<our.domain> to google.com/a/<our.domain>

    • Marked as answer by Arthur87 Monday, October 22, 2018 9:33 PM
    Monday, October 22, 2018 9:33 PM
  • I initially thought that the issue could be because of the configuration but couldn't figure out the Identifier difference but glad to hear that you are able to resolve this issue.
    Monday, October 22, 2018 9:38 PM
  • Thanks so much!

    This helped me, as I was going crazy trying to figure out what was wrong.

    This solution worked for me!

    Wednesday, September 11, 2019 4:47 PM