Set up SSO using 3rd party IdPs

Network Mapping results

Network masks are IP addresses that are represented using Classless Inter-Domain Routing (CIDR) notation. The CIDR specifies how many bits of the IP address are included. Google uses network masks to determine which IP addresses or ranges of IP addresses to present with the SSO service.

It is important for each network mask to use the correct format. In the following IPv6 example, the slash (/) and the number after it represent the CIDR. The last 96 bits are not taken into consideration, and all of the IP addresses in that network range are affected.

  • 2001:db8::/32

In this IPv4 example, the last 8 bits (the zero) are not be taken into consideration, and all of the IP addresses that were in the range of 64.233.187.0 through 64.233.187.255 would be affected.

  • 64.233.187.0/24

In domains without a network mask, you must add users who are not super administrators to the identity provider (IdP).

SSO user/network mapping matrix

 

without network mask super administrators users
accounts.google.com When super administrators try to sign in to accounts.google.com, they are prompted for their full Google email address (including username and domain) and password and are redirected to the Admin console after they sign in. They aren't redirected to the SSO server. When users without super administrator privileges try to sign at accounts.google.com, they're redirected to the SSO sign-in page.
admin.google.com When super administrators try to sign in to admin.google.com, they're prompted for their full Google email address (including username and domain) and password and are redirected to the Admin console after they sign in. They aren't redirected to the SSO server.
 
When users without super administrator privileges, such as delegated administrators, try to sign in to admin.google.com, they're redirected to the SSO server after they sign in with their Google account details.
with network mask super administrators users
service.google.com When users (with or without super administrator privileges) try to sign in to service.google.com, they're redirected to accounts.google.com, where they're prompted for their full Google email address (including username and domain). When users (with or without super administrator privileges) try to sign in to service.google.com, they're redirected to accounts.google.com, where they're prompted for their full Google email address (including username and domain).
service.google.com
/a/your_domain.com

within a network mask

When users (with or without super administrator privileges) within the network mask try to sign in to service.google.com/a/your_domain.com, they're redirected to the SSO sign-in page.

When users (with or without super administrator privileges) within the network mask try to sign in to service.google.com/a/your_domain.com, they're redirected to the SSO sign-in page.

service.google.com
/a/your_domain.com
outside a network mask
When users (with or without super administrator privileges) outside of the network mask try to sign in to service.google.com/a/your_domain.com, they aren't redirected to the SSO server. When users (with or without super administrator privileges) outside of the network mask try to sign in to service.google.com/a/your_domain.com, they aren't redirected to the SSO server.
service.google.com
/a/your_domain.com

unauthenticated service requests

The originating IP of all unauthenticated service requests is checked when accessing via service.google.com/a/your_domain.com.

If the originating IP falls within a network mask (CIDR range), they're redirected to the SSO sign-in page.

If the originating IP does not fall within a network mask, they're prompted for a username and then for a Google password.

Direct connections to accounts.google.com are prompted for a username and then for a Google password.

The originating IP of all unauthenticated service requests is checked when accessing via service.google.com/a/your_domain.com.

If the originating IP falls within a network mask (CIDR range), they're redirected to the SSO sign-in page.

If the originating IP does not fall within a network mask, they're prompted for a username and then for a Google password.

Direct connections to accounts.google.com are prompted for a username and then for a Google password.

 

Was this article helpful?
How can we improve it?