Understanding SAML secure sign-in

Google uses a Security Assertion Markup Language (SAML) provider for user authentication. When your users sign in to Google Workspace, they arrive at a screen on the main Google Workspace page to confirm their identity.

How often do users see the screen?

To minimize disruption for the user, this screen only appears once for each account on a device. Once the user confirms their identity on a specific Chrome Browser or device, it’s safe to let them to sign in again, without asking them to reconfirm their identity.

Note: SSO users may see additional authentication challenges if you choose to enable challenges with SSO. This also turns on 2-Step Verification (2SV), if configured for your Google account. (2SV is normally disabled for users who sign in via SSO.) 

What is the purpose?

  • Protection against phishing attacks—The sign-in screen helps stop Chrome Browser users from unknowingly signing in to an account created and controlled by an attacker. For example, a phishing campaign could trick a user into signing in to a Google Account controlled by an attacker. This type of attack can use SAML single sign-on (SSO), because it doesn’t require a user interaction to complete a sign-in. To protect users, we’ve added an authentication screen.
  • Creating a consistent identity—This new security feature is part of a larger project to create a consistent identity across Google Workspace services (such as Gmail) and native Chrome Browser services, such as Chrome sync. This consistency makes it easier for signed-in users to take advantage of native Chrome Browser features, but it requires extra protection during authentication. This new screen adds that protection and reduces the probability that attackers abuse SAML SSO to sign users in to malicious accounts.

Can I disable the screen?

Yes, you can disable the authentication screen. For example, you might want to reduce the number of interactions between your users and Google.

To disable the new screen for your organization, use the X-GoogApps-AllowedDomains HTTP header to identify domains whose users can access Google services. Users in those domains won’t see the extra screen. Google assumes those accounts are trusted by your users.

To set the header, you can also use the AllowedDomainsForApps group policy.

Related topics

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu