Optional SSO settings and maintenance

How to rotate certificates

If you upload two certificates to a SAML SSO profile, Google can use either certificate to validate a SAML response from your IdP. This allows you to safely rotate an expiring certificate on the IdP side. Follow these steps at least 24 hours before a certificate is due to expire:

  1. Create a new certificate on the IdP.
  2. Upload the certificate as the second certificate to Admin console. For instructions see Create a SAML profile.
  3. Wait 24 hours to allow for Google user accounts to update with the new certificate.
  4. Configure the IdP to use the new certificate in place of the expiring one.
  5. (Optional) Once users have confirmed they are able to sign in, remove the old certificate from Admin console. You can then upload a new certificate in the future as needed.

Manage domain-specific service URLS

The Domain-specific service URLs setting lets you control what happens when users sign in using service URLs such as https://mail.google.com/a/example.com.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAuthenticationand thenSSO with third party IdP.
  3. Click Domain-specific Service URLs to open the settings.

There are two options:

  • Redirect users to the third-party IdP. Choose this option to always route these users to the third-party IdP that you select in the SSO profile drop-down list. This can be the SSO profile for your organization, or another third-party profile (if you’ve added one).

    Important: If you have organizational units or groups that are not using SSO, don’t choose this setting. Your non-SSO users will be automatically routed to the IdP and won’t be able to sign in.

  • Require users to enter their username on Google’s sign-in page. With this option, users entering domain-specific URLs are first sent to the Google sign-in page. If they are SSO users, they’re redirected to the IdP sign-in page.

Network Mapping results

Network masks are IP addresses that are represented using Classless Inter-Domain Routing (CIDR) notation. The CIDR specifies how many bits of the IP address are included. The SSO profile for your organization can use network masks to determine which IP addresses or ranges of IP addresses to present with the SSO service.

Note:  For the network masks settings, only domain-specific service URLs, for example service.google.com/a/example.com, currently redirect to the SSO sign-in page.

It is important for each network mask to use the correct format. In the following IPv6 example, the slash (/) and the number after it represent the CIDR. The last 96 bits are not taken into consideration, and all of the IP addresses in that network range are affected.

  • 2001:db8::/32

In this IPv4 example, the last 8 bits (the zero) are not be taken into consideration, and all of the IP addresses that were in the range of 64.233.187.0 through 64.233.187.255 would be affected.

  • 64.233.187.0/24

In domains without a network mask, you must add users who are not super administrators to the identity provider (IdP).

SSO user experience when visiting Google service URLs

The following table shows the user experience for direct visits to Google service URLs, with and without a network mask:

Without network mask Super administrators are: Users are:
service.google.com Prompted for their Google email address and password. Prompted for their email address, then redirected to the SSO sign-in page.
With network mask Super administrators and users are:
service.google.com Prompted for their email address and password.
service.google.com
/a/your_domain.com*
(within network mask)		 Redirected to the SSO sign-in page.
service.google.com
/a/your_domain.com
(outside network
mask)		 Prompted for their email address and password.
accounts.google.com/
o/oauth2/v2/auth?login_hint=
xxxxx@example.com

Users who access Google's OAuth 2.0 endpoint using the login_hint URL parameter are redirected to the SSO sign-in page.

* Not all services support this URL pattern. Examples of services that do are Gmail and Drive.

Session expiration when a network mask is configured 
This section applies to you only if all of these conditions are true:
  • Your domain has SSO with a third-party IdP.
  • Your domain has a network mask.
  • A user signed in through the third-party IdP (see the table in “SSO user/network mapping matrix”).
A user’s active Google session might be terminated and the user asked to re-authenticate when:
  • The user session reaches its maximum allowed duration as specified in the Google session control Admin console setting.
  • The admin modified the user account by changing the password or requiring the user to change the password at their next sign-in (either through the Admin console or using the Admin SDK).

User experience

If the user initiated the session on a third-party IdP, the session is cleared and the user is redirected to the Google Sign-in page.

Because the user initiated their Google session on a third-party IdP, they might not understand why they need to sign in to Google to regain access to their account. Users might get redirected to a Google Sign-in page even when they try to navigate to other Google URLs.

If you’re planning some maintenance that includes terminating active user sessions and want to avoid user confusion, tell your users to logout from their sessions and stay logged out until the maintenance is complete.

User recovery

When a user sees the Google Sign-in page because their active session was terminated, they  can regain access to their account by doing one of the following:

  • If the user sees the message “If you’ve reached this page in error, click here to sign out and try to sign in again,” they can click the link in the message.
  • If the user doesn’t see that message or link, they sign out and sign in again by going to https://accounts.google.com/logout.
  • The user can clear their browser cookies.

Once they use any one of the recovery methods, their Google session is fully terminated and they can sign in.  

Set up 2-Step Verification with SSO

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAuthenticationand thenLogin challenges.
  3. On the left, select the organizational unit where you want to set the policy.

    For all users, select the top-level organizational unit. Initially, organizational units inherit the settings of its parent.

  4. Click Post-SSO verification.
  5. Choose settings according to how you use SSO profiles in your organization. You can apply a setting for users who use the legacy SSO profile and for users who sign in using other SSO profiles.
  6. On the bottom right, click Save.

    Google creates an entry in the Admin audit log to indicate any policy change.

The default post-SSO verification setting depends on SSO user type:

  • For users signing in using the legacy SSO profile, the default setting is to bypass additional login challenges and 2SV.
  • For users signing in using SSO profiles, the default setting is to apply additional login challenges and 2SV.

See also

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
8927021345360528237
true
Search Help Center
true
true
true
true
true
73010
false
false