Network masks are IP addresses that are represented using Classless Inter-Domain Routing (CIDR) notation. The CIDR specifies how many bits of the IP address are included. The SSO profile for your organization can use network masks to determine which IP addresses or ranges of IP addresses to present with the SSO service.
Note: For the network masks settings, only domain-specific service URLs, for example service.google.com/a/example.com, currently redirect to the SSO sign-in page.
It is important for each network mask to use the correct format. In the following IPv6 example, the slash (/) and the number after it represent the CIDR. The last 96 bits are not taken into consideration, and all of the IP addresses in that network range are affected.
- 2001:db8::/32
In this IPv4 example, the last 8 bits (the zero) are not be taken into consideration, and all of the IP addresses that were in the range of 64.233.187.0 through 64.233.187.255 would be affected.
- 64.233.187.0/24
In domains without a network mask, you must add users who are not super administrators to the identity provider (IdP).
SSO user experience when visiting Google service URLsThe following table shows the user experience for direct visits to Google service URLs, with and without a network mask:
| Without network mask | Super administrators are: | Users are: |
|---|---|---|
| service.google.com | Prompted for their Google email address and password. | Prompted for their email address, then redirected to the SSO sign-in page. |
| With network mask | Super administrators and users are: | |
| service.google.com | Prompted for their email address and password. | |
| service.google.com /a/your_domain.com* (within network mask) |
Redirected to the SSO sign-in page. | |
| service.google.com /a/your_domain.com (outside network mask) |
Prompted for their email address and password. | |
| accounts.google.com/ o/oauth2/v2/auth?login_hint= xxxxx@example.com |
Users who access Google's OAuth 2.0 endpoint using the login_hint URL parameter are redirected to the SSO sign-in page. |
|
* Not all services support this URL pattern. Examples of services that do are Gmail and Drive.
- Your domain has SSO with a third-party IdP.
- Your domain has a network mask.
- A user signed in through the third-party IdP (see the table in “SSO user/network mapping matrix”).
- The user session reaches its maximum allowed duration as specified in the Google session control Admin console setting.
- The admin modified the user account by changing the password or requiring the user to change the password at their next sign-in (either through the Admin console or using the Admin SDK).
User experience
If the user initiated the session on a third-party IdP, the session is cleared and the user is redirected to the Google Sign-in page.
Because the user initiated their Google session on a third-party IdP, they might not understand why they need to sign in to Google to regain access to their account. Users might get redirected to a Google Sign-in page even when they try to navigate to other Google URLs.
If you’re planning some maintenance that includes terminating active user sessions and want to avoid user confusion, tell your users to logout from their sessions and stay logged out until the maintenance is complete.
User recovery
When a user sees the Google Sign-in page because their active session was terminated, they can regain access to their account by doing one of the following:
- If the user sees the message “If you’ve reached this page in error, click here to sign out and try to sign in again,” they can click the link in the message.
- If the user doesn’t see that message or link, they sign out and sign in again by going to https://accounts.google.com/logout.
- The user can clear their browser cookies.
Once they use any one of the recovery methods, their Google session is fully terminated and they can sign in.
