As an admin, you can use the Google Admin console to set up Chrome profiles so users can sign into Chrome browser with their third-party credentials—such as Cisco Duo—on any Windows, Mac, or Linux computer.

Step 1: Create an OIDC app in Cisco Duo

To create an OpenID Connect (OIDC) app:

1. Sign into your Cisco Duo admin console.
2. Go to ApplicationsManageApplications.
3. At the top, click Add Application.
4. Search for Google Chrome Enterprise and click Add.
5. On the configuration page, add the following:
   1. Give the application an appropriate name, like Chrome Profile Enrollment.

      Note: Copy the Client ID and Client Secret to use later.

   2. Set User Access to Disable for all users. You can turn this on later.
   3. For Grant type, select Authorization Code.
   4. Select Allow PKCE only authentication.
   5. In the Sign-in redirect URLs section, set the URI to https://chromeenterprise.google/profile-enrollment/register-handler.
6. Keep the Cisco Duo admin tab open, so you can return to it later to save your configurations.

Important: Scopes are used by Google Chrome Enterprise during authentication to authorize access to a user's details. Each scope returns a set of user attributes or claims that must be mapped to IdP attributes. When an application sends an OIDC request to Cisco Duo Single Sign-On (SSO), the response sends only the claims from the requested scopes. Cisco Duo has automatically enabled the email and profile scopes and mapped the email and name attributes respectively. You can change the attribute sent from your authentication source by modifying the IdP attribute name related to each claim.

Step 2: Create a connector configuration

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Chrome browser > Connectors.

   Requires having the Chrome administrator privilege

3. (Optional) If you’re configuring Chrome Enterprise connectors settings for the first time, follow the prompts to turn on Chrome Enterprise Connectors.
4. Click + New provider configuration.
5. In the panel on the right, select the Universal Enrollment connector.
6. Click Set up.
7. Enter these configuration details:
   1. Configuration name.
   2. Client ID from the app you created.
   3. For the Email claim, enter email.
   4. For the Enrollment token claim, enter enrollment_token.
   5. Issuer name from the app you created.
   6. Client secret from the app you created.
   7. After the validation is completed, click Add configuration.

Configurations are added for your entire organization and relevant organizational units. After you add a new configuration, it's listed on the Connectors page. You can view the configurations that you added for each provider.

Step 3: Generate an enrollment token

Still in the Google Admin console:

1. Generate an enrollment token. See Generate enrollment token.
2. Copy the token to use in the next step.

Step 4: Enable Claims Transformation

For information on creating a custom attribute for the profile of the app you created, see Configure Google Chrome Enterprise in the Cisco Duo documentation.

1. Return to the Cisco Duo admin console.
2. Go to the configuration page of the Google Chrome Enterprise app you added.
3. Scroll down to OIDC Response and check the Enable Claim Transformations box.
4. For Transformation Rules:
   1. Enter the following text on three separate lines:

       use "<Username>"

       remove additional_attr="<Username>"

       append text=""

   2. Paste the Enrollment Token between the quotation marks on the last line append text="".
5. For Scope, select profile.
6. For Claim, enter enrollment_token.

Step 5: Assign users to the app

Note: If your user's identities are synced to Google, they don’t need to have an enrollment token value. Instead, ensure that the email address assigned to the email claim is the same as the email address used for that user’s Google identity.

Still in the Cisco Duo admin console:

1. Go to ApplicationsManageApplications to open the app you created.
2. Choose the user access that you want to apply to your organization:
   1. Disable for all users (default)—No active Duo users can access that application.
   2. Enable only for permitted groups—Only active Duo users who are members of the selected groups can authenticate to that application. You can select up to 100 permitted groups.
   3. Enable for all users—Allows all existing active Duo users to authenticate to that application.

   For more information see User Access and Duo Administration - Using Groups.

3. At the bottom, click the Save.

Note: To enable your users to sign in with Cisco Duo, you need to provide them with the Enrollment URL generated from the Google Admin Console. One way to share this URL with users is by customizing the help desk message from Cisco Duo and including the Enrollment URL in that message. For details on how to customize the message, see Help Desk Custom Message.

Step 6: Register a Chrome profile

1. Return to the Google Admin console.
2. Go to Menu  Chrome browser > Connectors.

   Requires having the Chrome administrator privilege.

3. Select the identity-based enrollment connector you want to use.
4. From the Details side panel, copy the enrollment URL.
5. Open Chrome browser (version 134 or later).
6. Navigate to the enrollment URL. This will redirect you to the Cisco Duo sign-in page.
7. Accept the profile creation when Chrome prompts for consent.
8. After configuration is complete, share the URL with your users so that they can create profiles on their own.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.