I have set up Azure AD with federated SSO to Google Apps. All setting seem correct, and users are automatically created in Google as I add them to AD. When I attempt to login to Google, I am (correctly) redirected to Azure. Login seems to validate, but I get an error message from Azure indicating that the user is not configured to sign-in to this application. The user clearly does have the application enabled (as evidenced by the user creation within Google).
What am I missing?