Notification

Duet AI is now Gemini for Google Workspace. Learn more

Network Mapping results

Network masks are IP addresses that are represented using Classless Inter-Domain Routing (CIDR) notation. The CIDR specifies how many bits of the IP address are included. Google uses network masks to determine which IP addresses or ranges of IP addresses to present with the SSO service.

Note:  For the network masks settings, only domain-specific service URLs, for example service.google.com/a/example.com, currently redirect to the SSO sign-in page.

It is important for each network mask to use the correct format. In the following IPv6 example, the slash (/) and the number after it represent the CIDR. The last 96 bits are not taken into consideration, and all of the IP addresses in that network range are affected.

  • 2001:db8::/32

In this IPv4 example, the last 8 bits (the zero) are not be taken into consideration, and all of the IP addresses that were in the range of 64.233.187.0 through 64.233.187.255 would be affected.

  • 64.233.187.0/24

In domains without a network mask, you must add users who are not super administrators to the identity provider (IdP).

SSO user/network mapping matrix

without network mask super administrators users
accounts.google.com When super administrators try to sign in to accounts.google.com, they are prompted for their full Google email address (including username and domain) and password and are redirected to the Admin console after they sign in. They aren't redirected to the SSO server. When users without super administrator privileges try to sign at accounts.google.com, they're redirected to the SSO sign-in page.
admin.google.com When super administrators try to sign in to admin.google.com, they're prompted for their full Google email address (including username and domain) and password and are redirected to the Admin console after they sign in. They aren't redirected to the SSO server.
 
When users without super administrator privileges, such as delegated administrators, try to sign in to admin.google.com, they're redirected to the SSO server after they sign in with their Google account details.
with network mask super administrators users
accounts.google.com/o/oauth2/v2/auth?*login_hint=xxxxx@example.com* When users (with or without super administrator privileges) try to initiate Google OAuth flow from accounts.google.com/o/oauth2/v2/auth with login_hint URL parameter, they're redirected to the SSO sign-in page. When users (with or without super administrator privileges) try to initiate Google OAuth flow from accounts.google.com/o/oauth2/v2/auth with login_hint URL parameter, they're redirected to the SSO sign-in page.
service.google.com When users (with or without super administrator privileges) try to sign in to service.google.com, they're redirected to accounts.google.com, where they're prompted for their full Google email address (including username and password). When users (with or without super administrator privileges) try to sign in to service.google.com, they're redirected to accounts.google.com, where they're prompted for their full Google email address (including username and password).
service.google.com
/a/
example.com*
within a network mask

When users (with or without super administrator privileges) within the network mask try to sign in to service.google.com/a/example.com, they're redirected to the SSO sign-in page.

When users (with or without super administrator privileges) within the network mask try to sign in to service.google.com/a/example.com, they're redirected to the SSO sign-in page.

service.google.com
/a/example.com*
outside a network mask
When users (with or without super administrator privileges) outside of the network mask try to sign in to service.google.com/a/example.com, they aren't redirected to the SSO server. When users (with or without super administrator privileges) outside of the network mask try to sign in to service.google.com/a/example.com, they aren't redirected to the SSO server.
service.google.com
/a/
example.com*
unauthenticated service requests

The originating IP of all unauthenticated service requests is checked when accessing via service.google.com/a/example.com.

If the originating IP falls within a network mask (CIDR range), they're redirected to the SSO sign-in page.

If the originating IP does not fall within a network mask, they're prompted for a username and then for a Google password.

Direct connections to accounts.google.com are prompted for a username and then for a Google password.

The originating IP of all unauthenticated service requests is checked when accessing via service.google.com/a/example.com.

If the originating IP falls within a network mask (CIDR range), they're redirected to the SSO sign-in page.

If the originating IP does not fall within a network mask, they're prompted for a username and then for a Google password.

Direct connections to accounts.google.com are prompted for a username and then for a Google password.

* Not all services support this URL pattern. Examples of services that do are:

  • Gmail
  • Google Drive
Session expiration when a network mask is configured 
This section applies to you only if all of these conditions are true:
  • Your domain has SSO with a third-party IdP.
  • Your domain has a network mask.
  • A user signed in through the third-party IdP (see the table in “SSO user/network mapping matrix”).
A user’s active Google session might be terminated and the user asked to re-authenticate when:
  • The user session reaches its maximum allowed duration as specified in the Google session control Admin console setting.
  • The admin modified the user account by changing the password or requiring the user to change the password at their next sign-in (either through the Admin console or using the Admin SDK).

User experience

If the user initiated the session on a third-party IdP, the session is cleared and the user is redirected to the Google Sign-in page.

Because the user initiated their Google session on a third-party IdP, they might not understand why they need to sign in to Google to regain access to their account. Users might get redirected to a Google Sign-in page even when they try to navigate to other Google URLs.

If you’re planning some maintenance that includes terminating active user sessions and want to avoid user confusion, tell your users to logout from their sessions and stay logged out until the maintenance is complete.

User recovery

When a user sees the Google Sign-in page because their active session was terminated, they  can regain access to their account by doing one of the following:

  • If the user sees the message “If you’ve reached this page in error, click here to sign out and try to sign in again,” they can click the link in the message.
  • If the user doesn’t see that message or link, they sign out and sign in again by going to https://accounts.google.com/logout.
  • The user can clear their browser cookies.

Once they use any one of the recovery methods, their Google session is fully terminated and they can sign in.  

 

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
13687365767400737208
true
Search Help Center
true
true
true
true
true
73010
false
false