Troubleshooting Google SSO Login Issue in SharePoint and Teams via Azure Federation

Many organizations use Google SSO to allow users to access different applications without remembering multiple usernames and passwords. However, issues may arise when integrating Google SSO with SharePoint or Teams via Azure Federation. One of the common issues is that users cannot log in due to differences in ImmutableId and UserPrincipalName (UPN). This article outlines the troubleshooting steps to address this issue.

PROBLEM

Users cannot log in to SharePoint or Teams sites via Google SSO with the federation in Azure. The issue arises when users’ ImmutableId is not the same as UPN. They will receive the following error:

To troubleshoot the login issue with Google SSO in SharePoint or Teams via Azure Federation, follow these PowerShell commands:

1. Connect to PowerShell
2. Import the MSOnline module
3. Enter your admin account credentials
4. Connect to MSOnline service
5. Get the ImmutableId for the user with incorrect UPN
6. Check if the ImmutableId matches the UPN
7. If not, set the UserPrincipalName to a temporary value that is not Federated
8. Set the ImmutableId to the correct value
9. Set the UserPrincipalName back to the Federated value
10. Check if the ImmutableId is now correct

Here are the PowerShell commands to accomplish these steps:

Connect-MsolService
$msolCred = Get-Credential
Connect-MsolService -Credential $msolCred
get-MsolUser -UserPrincipalName “username@domainname.com” | select {$_.immutableid}
Set-MsolUserPrincipalName -UserPrincipalName “username@domainname.com” -NewUserPrincipalName username@domainname.onmicrosoft.com
set-MsolUser -UserPrincipalName “username@domainname.onmicrosoft.com” -ImmutableId username@domainname.com
Set-MsolUserPrincipalName -UserPrincipalName “username@domainname.onmicrosoft.com” -NewUserPrincipalName username@domainname.com
get-MsolUser -UserPrincipalName “username@domainname.com” | select {$_.immutableid}

Note: Replace “username@domainname.com” with the actual UPN of the user-facing the log in issue.

IF THE ISSUE PERSISTS

If the log in issue with Google SSO in SharePoint or Teams via Azure Federation persists, further investigation revealed that the problem is related to the certificate in the connection between Azure and Google GSuite. This can be identified from the Azure – Azure Active Directory – User – Sign-in logs, which may show the error “Unable to verify the token signature. The signing key identifier does not match any valid registered keys.”

I investigate the issue further and discover that the PEM certificate on the Web and mobile apps that are connected to the Azure Federation has expired. To fix this problem, I generate a new PEM certificate and follow these steps:

1. Generate a new PEM certificate
2. Connect to the Windows Azure Active Directory Module using PowerShell
3. Enter your Azure admin credential
4. Get the MSOL domain federation settings for your domain
5. Retrieve the renewed certificate in base64 format and remove all the header/footer/carriage returns to make a single-line base64 string
6. Set the SigningCertificate and NextSigningCertificate to the new certificate using PowerShell
7. Verify the certificate update

Here are the PowerShell commands to accomplish these steps:

# Connect to the Windows Azure Active Directory Module using PowerShell.
Import-Module MSOnline
Connect-MsolService

# Enter your O365 admin credentials.
$msolCred = Get-Credential
Connect-MsolService -Credential $msolCred

# Get the MSOL domain federation settings for your domain.
$domainName = “”
$federationSettings = Get-MsolDomainFederationSettings -DomainName $domainName

# Retrieve the renewed certificate in base64 format and remove all the header/footer/carriage return to make a single line base64 string.
$cert = “”
$cert = $cert.Replace(“\r\n”,””)

# Set the SigningCertificate and NextSigningCertificate to the new certificate using PowerShell.
Set-MsolDomainFederationSettings -DomainName $domainName -SigningCertificate “$cert” -NextSigningCertificate “$cert” -PreferredAuthenticationProtocol “SAMLP”

# Verify the certificate update with Get-MsolDomainFederationSettings.
Get-MsolDomainFederationSettings -DomainName $domainName

By following these steps, the certificate issue in the connection between Azure and Google GSuite was resolved, allowing users to log in to SharePoint and Teams sites via Google SSO with Azure Federation.