Set up SSO using 3rd party IdPs
Signing in with SSO
The sign-in page for the Admin console is admin.google.com, which redirects to accounts.google.com, while the sign-in page for an individual Google service is service.google.com/a/your_domain.com. When you configure SSO for your domain, the behavior of these pages depends on whether the user signing in has super administrator privileges, and whether the domain has a network mask.
Signing in with super administrator privileges
When super administrators try to sign in to an SSO-enabled domain (with or without a network mask) via admin.google.com, they must enter their full Google administrator account email address and associated Google password (not their SSO username and password), and click Sign in to directly access the Admin console. Google does not redirect them to the SSO sign-in page.
When super administrators sign in to the Google Drive synchronization client, they bypass SSO.
Google does not redirect them to the SSO sign-in page. This applies to sign-in attempts from browsers, mobile apps (such as the iOS Drive and Gmail apps), the Android account activation flow, and so forth.
When super administrators try to sign in to another Google service at service.google.com/a/your_domain.com and the domain has a network mask, they are only redirected to the SSO sign-in page if they're signing in from within their domain's network mask. If they're outside of their domain's network mask, or if their domain doesn't have a network mask, they are prompted for their Google username and password.