If you add and enable a third-party SSO profile for your domain, all users in your domain will sign in to Google services via your third-party identity provider.
If you want some of your users to sign in to Google directly, you can move those users into an organizational unit (OU) or group. Then, manage SSO settings for the OU or group so that those users are authenticated by Google rather than using your third-party IdP. Follow these steps:.
From the Admin console Home page, go to Security.
- Click Set up single sign-on (SSO) with a third party IdP.
- Add and enable a third-party SSO profile for your organization.
If you want all your (non-super admin) users to sign in using a third-party IdP, you can stop now. If you want some users to sign in to Google directly, continue to the next step.
- Click Manage SSO profile assignments.
- If this is your first time assigning the SSO profile, click Get started. Otherwise, click Manage.
Note: Get started is only available if you’ve already enabled your third-party SSO profile.
- On the left, select the organizational unit or group for which you’re assigning the SSO profile.
If the SSO profile assignment for an OU or group differs from your domain-wide profile assignment, an override warning appears when you select that OU or group.
You can’t assign the SSO profile on a per-user basis. The Users view let you check the setting for a specific user.
- For SSO profile assignment, choose None.
- Users in the OU or group will sign in directly with Google.
- Other users will sign in to Google services using the IdP designated in your domain’s third-party SSO profile.
- Click Save.
To turn SSO off for all users
If you need to turn third-party authentication off for all your users without changing the SSO profile assignment for OUs or groups, you can disable the third-party SSO profile:
- Go to SecuritySSO with third-party IDPsThird-party SSO profile for your domain.
- Uncheck Set up SSO with third-party identity provider.
- Click Save.