Sign into Chrome with Okta (custom integration)

Not managing Chrome browser? Sign up for Chrome Enterprise Core today.

As an admin, you can use the Google Admin console to set up Chrome profiles so users can sign into Chrome browser with their third-party credentials—such as Okta—on any Windows, Mac, or Linux computer.

Step 1: Create an OIDC app in Okta

To create an OpenID Connect (OIDC) app:

  1. Sign into your Okta admin console.
  2. Go to Applicationsand thenApplications.
  3. At the top, click Create App Integration:
    1. For the Sign-in method, select OIDC - OpenID Connect.
    2. For the Application type, select Web Application.
    3. Click Next.
  4. On the New Web App Integration page, enter the following:
    1. Give the application an appropriate name, like Chrome Profile Enrollment.
    2. For Grant type, make sure Authorization Code is the only one selected.
    3. In the Sign-in redirect URIs section, set the URI to https://chromeenterprise.google/profile-enrollment/register-handler.
    4. For Controlled access, select Skip group assignment for now.
    5. Click Save.
  5. After the app is created, the configuration page opens.
  6. On the General page, take note of the Client ID to use later in the Google Admin console.
  7. In the Client Credentials section, click Edit and change the following:
    1. For Client authentication, select Client secret.
    2. For Proof Key for Code Exchange (PKCE), check the Require PKCE as additional verification box.
    3. Take note of the client secret because you need it for use later in the Google Admin console.
    4. Click Save.
  8. On the Sign On tab, in the OpenID Connect ID Token section, click Edit:
    1. Change the Issuer to the Okta URL and take note of the URL in parenthesis.
    2. Click Save.

Step 2: Create a custom attribute

For information on creating a custom attribute for the profile of the app you created, see Okta Docs.

Add the following properties to the attribute:

  • Type: string
  • Display name: Chrome Profile Enrollment Token
  • Variable name: chromeProfileEnrollmentToken
  • Attribute type: Select Group if you want to assign it to groups, or Personal if you want to set this attribute for each individual user.

Step 3: Create a connector configuration

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Chrome browser > Connectors.

    Requires having the Chrome administrator privilege

  3. (Optional) If you’re configuring Chrome Enterprise connectors settings for the first time, follow the prompts to turn on Chrome Enterprise Connectors.
  4. Click + New provider configuration.
  5. In the panel on the right, select the Universal Enrollment connector.
  6. Click Set up.
  7. Enter these configuration details:
    1. Configuration name.
    2. Client id from the app you created.
    3. For the Email claim, enter email.
    4. For the Enrollment token claim, enter chromeProfileEnrollmentToken.
    5. For the Issuer, enter the OIDC token issuer URL. Go to your OIDC app in Okta, sign in, and scroll down to OpenID Connect ID Token. For example, https://acme.oktasampleurl.com.
    6. Client secret from the app you created.
    7. After the validation is completed, click Add configuration.

Configurations are added for your entire organization and relevant organizational units. After you add a new configuration, it's listed on the Connectors page. You can view the configurations that you added for each provider.

Step 4: Generate an enrollment token

Still in the Google Admin console:

  1. Generate an enrollment token. See Generate enrollment token.
  2. Copy the token to use in the next step.

Step 5: Assign users and enrollment tokens to the app

Note: If your user's identities are synced to Google, they don’t need to have an enrollment token value. Instead, ensure that the email address assigned to the email claim is the same as the email address used for that user’s Google identity.

  1. Return to the Okta admin console.
  2. Go to Applicationsand thenApplications and open the app you created.
  3. On the app Assignments tab, select Assignand thenAssign to People or Assign to Groups.
  4. For each user or group you want to assign to the app, do the following:
    1. Click Assign next to the user’s or group's name.
    2. For the Chrome Profile Enrollment Token property, enter the enrollment token generated in step 4.
    3. Click Save and Go Back.
  5. Click Done.

Step 6: Register a profile

  1. Return to the Google Admin console.
  2. Go to Menu and then Chrome browser > Connectors.

    Requires having the Chrome administrator privilege

  3. Select the identity-based enrollment connector you want to use.
  4. From the Details side panel, copy the enrollment URL.
  5. Open Chrome browser (version 134 or later).
  6. Navigate to the enrollment URL. This will redirect you to the Okta sign-in page.
  7. Accept the profile creation when Chrome prompts for consent.
  8. After configuration is complete, share the URL with your users so that they can create profiles on their own.

    Note: One way to share this URL with users is by customizing the access denied error message from Okta and including the Enrollment URL in that message. For details on how to customize the error message, see Customize the access denied error message.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Google apps
Main menu
11270529841752748128
true
Search Help Center
false
true
true
true
true
true
410864
false
false
false
false