3,292 questions
Enabling federated self-service SAML authentication (of Google Workspace IdP) for workforce tenant
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 27%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETA%3C/text%3E%3C/svg%3E)
Thomas AJ Hull
0
Reputation points
Hello! May I request assistance enabling self-service SAML authentication (via federation of Google Workspace IdP) for a workforce Entra tenant. External identity logins work just fine for invited users from the Google Workspace, but not for uninvited users. We need all users from the specified Google workspace to automatically have access without needing to be added manually and go through the invitation process.
Authorization policy is set to self-service, but domain detection fails. Note that the Google Workspace domain is included in the custom SAML external identity.
Failing Scenario:
- Uninvited users from
sui-testgws03.comaccessing MyApps portal get: "We couldn't find an account with that username" - Expected (desired) behavior: Users should be redirected to Google Workspace for SAML authentication, then auto-provisioned
Technical Configuration Verified:
- SAML Provider: Configured with Google Workspace domain properly associated
- External Collaboration: Inclusive Guest User settings enabled
- Cross-tenant Access: Default settings allow B2B collaboration for Applications / External users and groups
- Google Workspace: SAML app enabled "ON for everyone"
Question: What configuration is required to enable domain-based SAML federation detection for uninvited/self-service users in a workforce tenant? The domain appears to not be triggering automatic SAML provider routing for uninvited users.
Environment:
- Microsoft Entra ID P2 license
- Workforce tenant configuration
- Google Workspace SAML 2.0 federation
Latest error:
AADSTS50020: User account '******@sui-testgws03.com' from identity provider 'https://accounts.google.com/o/saml2?idpid=[REDACTED]<[REDACTED]>' does not exist in tenant 'SAS Users' and cannot access the application '[REDACTED]'(SimpleEntraAuthApp01b) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Please reach out to ******@su-inc.com 858-762-9000. Thanks!
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Sign in to answer