Set up SSO using 3rd party IdPs

Understanding SAML secure sign-in

Google uses a Security Assertion Markup Language (SAML) provider for user authentication. When your users sign in to G Suite, they arrive at a screen on the main G Suite page to confirm their identity.

How often do users see the screen?

To minimize disruption for the user, this screen only appears once for each account on a device. Once the user confirms their identity on a specific Chrome Browser or device, it’s safe to let them to sign in again, without asking them to reconfirm their identity.

What is the purpose?

  • Protection against phishing attacks—This screen helps stop Chrome Browser users from unknowingly signing in to an account created and controlled by an attacker. For example, a phishing campaign could trick a user into signing in to a Google Account controlled by an attacker. This type of attack can use SAML single sign-on (SSO), because it doesn’t require a user interaction to complete a sign-in. To protect users, we’ve added an authentication screen.
  • Creating a consistent identity—This new security feature is part of a larger project to create a consistent identity across G Suite services (such as Gmail) and native Chrome Browser services, such as Chrome sync. This consistency makes it easier for signed-in G Suite users to take advantage of native Chrome Browser features, but it requires extra protection during authentication. This new screen adds that protection and reduces the probability that attackers abuse SAML SSO to sign users in to malicious accounts.

Can I disable the screen?

Yes, you can disable the authentication screen. For example, you might want to reduce the number of interactions between your users and Google.

To disable the new screen for your organization, use the X-GoogApps-AllowedDomains HTTP header to identify domains whose users can access Google services. Users in those domains won’t see the extra screen. Google assumes those accounts are trusted by your users.

To set the header, you can also use the AllowedDomainsForApps group policy.

Related topics

Was this helpful?
How can we improve it?