Set up SSO using 3rd party IdPs

Network Mapping results

Network masks are IP addresses that are represented using Classless Inter-Domain Routing (CIDR) notation. The CIDR specifies how many bits of the IP address are included. Google uses network masks to determine which IP addresses or ranges of IP addresses to present with the SSO service.

It is important for each network mask to use the correct format. In the following IPv6 example, the slash (/) and the number after it represent the CIDR. The last 96 bits are not taken into consideration, and all of the IP addresses in that network range are affected.

  • 2001:db8::/32

In this IPv4 example, the last 8 bits (the zero) are not be taken into consideration, and all of the IP addresses that were in the range of 64.233.187.0 through 64.233.187.255 would be affected.

  • 64.233.187.0/24

In domains without a network mask, you must add users who are not super administrators to the identity provider (IdP).

SSO user/network mapping matrix

without network mask super administrators users
accounts.google.com When super administrators try to sign in to accounts.google.com, they are prompted for their full Google email address (including username and domain) and password and are redirected to the Admin console after they sign in. They aren't redirected to the SSO server. When users without super administrator privileges try to sign at accounts.google.com, they're redirected to the SSO sign-in page.
admin.google.com When super administrators try to sign in to admin.google.com, they're prompted for their full Google email address (including username and domain) and password and are redirected to the Admin console after they sign in. They aren't redirected to the SSO server.
 
When users without super administrator privileges, such as delegated administrators, try to sign in to admin.google.com, they're redirected to the SSO server after they sign in with their Google account details.
with network mask super administrators users
service.google.com When users (with or without super administrator privileges) try to sign in to service.google.com, they're redirected to accounts.google.com, where they're prompted for their full Google email address (including username and password). When users (with or without super administrator privileges) try to sign in to service.google.com, they're redirected to accounts.google.com, where they're prompted for their full Google email address (including username and password).
service.google.com
/a/your_domain.com

within a network mask

When users (with or without super administrator privileges) within the network mask try to sign in to service.google.com/a/your_domain.com, they're redirected to the SSO sign-in page.

When users (with or without super administrator privileges) within the network mask try to sign in to service.google.com/a/your_domain.com, they're redirected to the SSO sign-in page.

service.google.com
/a/your_domain.com
outside a network mask
When users (with or without super administrator privileges) outside of the network mask try to sign in to service.google.com/a/your_domain.com, they aren't redirected to the SSO server. When users (with or without super administrator privileges) outside of the network mask try to sign in to service.google.com/a/your_domain.com, they aren't redirected to the SSO server.
service.google.com
/a/your_domain.com

unauthenticated service requests

The originating IP of all unauthenticated service requests is checked when accessing via service.google.com/a/your_domain.com.

If the originating IP falls within a network mask (CIDR range), they're redirected to the SSO sign-in page.

If the originating IP does not fall within a network mask, they're prompted for a username and then for a Google password.

Direct connections to accounts.google.com are prompted for a username and then for a Google password.

The originating IP of all unauthenticated service requests is checked when accessing via service.google.com/a/your_domain.com.

If the originating IP falls within a network mask (CIDR range), they're redirected to the SSO sign-in page.

If the originating IP does not fall within a network mask, they're prompted for a username and then for a Google password.

Direct connections to accounts.google.com are prompted for a username and then for a Google password.

Session expiration when a network mask is configured 
This section applies to you only if all of these conditions are true:
  • Your domain has SSO with a third-party IdP.
  • Your domain has a network mask.
  • A user signed in through the third-party IdP (see the table in “SSO user/network mapping matrix”).
A user’s active Google session might be terminated and the user asked to re-authenticate when:
  • The user session reaches its maximum allowed duration as specified in the Google session control Admin console setting.
  • The admin modified the user account by changing the password or requiring the user to change the password at their next sign-in (either through the Admin console or using the Admin SDK).

User experience

If the user initiated the session on a third-party IdP, the session is cleared and the user is redirected to the Google Sign-in page.

Because the user initiated their Google session on a third-party IdP, they might not understand why they need to sign in to Google to regain access to their account. Users might get redirected to a Google Sign-in page even when they try to navigate to other Google URLs.

If you’re planning some maintenance that includes terminating active user sessions and want to avoid user confusion, tell your users to logout from their sessions and stay logged out until the maintenance is complete.

User recovery

When a user sees the Google Sign-in page because their active session was terminated, they  can regain access to their account by doing one of the following:

  • If the user sees the message “If you’ve reached this page in error, click here to sign out and try to sign in again,” they can click the link in the message.
  • If the user doesn’t see that message or link, they sign out and sign in again by going to https://accounts.google.com/logout.
  • The user can clear their browser cookies.

Once they use any one of the recovery methods, their Google session is fully terminated and they can sign in.  

 

Note: When using a network, only domain-specific service URLs, for example service.google.com/a/your_domain.com, currently redirect to the SSO sign-in page.

Was this helpful?
How can we improve it?