Configure SAML single sign-on for Chrome devices

Security Assertion Markup Language (SAML) single sign-on (SSO) support for Chrome devices allows users to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). Signing in is very similar to signing in to a Google Workspace account from a browser via SAML SSO. However, because a user is signing in to a device, there are several additional considerations.

For more details, see Set up single sign-on for managed Google Accounts using third-party Identity providers.

Requirements

  • Chrome device running Chrome OS version 36 or higher
  • Domain configured for SAML SSO for Google Workspace
  • SAML URL using HTTPS not HTTP
  • Chrome licenses for your devices

Step 1:

If you haven’t already, set up single sign-on for managed Google Accounts using third-party Identity providers.

Step 2:

Set up and test SAML SSO on a test domain you own. If you don’t have a test domain, test SAML SSO with a small number of users by creating a test group and enabling SSO for users only in that group. After testing SAML SSO with a small number of users, roll it out to approximately 5% of your users.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. On the left, click Settingsand thenUsers & browsers
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Under Single sign-on, select Enable SAML-based single sign-on for Chrome devices from the list.
  6. Click Save.

(Optional) Step 3:

To allow single sign-on users to log in to internal websites and cloud services that rely on the same IdP on subsequent sign-ins to their Chrome device, you can enable SAML SSO cookies.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. On the left, click Settingsand thenDevice
  4. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Under Single sign-on cookie behavior, select Enable transfer of SAML SSO cookies into user session during sign-in from the list.
  6. Click Save.
Learn more about this setting.

 

Step 4 (For Chrome devices configured using AD FS):

In Active Directory Federation Services (AD FS), Windows Integrated Authentication (WIA) automatically lets users sign in to browser-based apps and your organization’s intranet without having to manually enter their username and password. Chrome OS only supports WIA on Chrome devices that are managed by Microsoft® Active Directory®, not on cloud-managed Chrome devices. As most Chrome OS devices are cloud-managed, authentication requests from Chrome devices fail.

To allow WIA in Chrome Browser on other devices that you manage and Chrome devices that are managed by Active Directory, you need to configure the WIASupportedUserAgentStrings property using the Set-AdfsProperties commandlet to only allow the user agents that you specify.

  1. Sign in to your primary ADFS server and open a PowerShell session. 
  2. Add the Mozilla user agent to the list of supported browsers.
    When Mozilla is on the supported list, Chrome Browser is also supported. 
    • For Microsoft® Windows®, enter:
      Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Mozilla/5.0 (Windows NT")
    • For Apple® macOS®, enter
      Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Mozilla/5.0 (Macintosh; Intel Mac OS X")
    • For Chrome devices managed by Active Directory, enter:
      Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Mozilla/5.0 (X11; CrOS")
      Warning: Most Chrome OS devices are cloud-managed. Only use this command if you are sure that your devices are managed by Active Directory. For details about integrating Chrome devices with an Active Directory server, see Manage Chrome devices with Active Directory.

(Optional) Step 5:

To allow single sign-on users to navigate directly to your SAML IdP page instead of first having to type in their email address, you can enable SAML SSO IdP Redirection.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. On the left, click Settingsand thenDevice
  4. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Under Single sign-on IdP redirection, select Allow users to go directly to SAML SSO IdP page from the list.
  6. Click Save.
Learn more about this setting.

 

Step 6:

After testing SAML SSO for Chrome devices on 5% of your organization, you can roll it out to everyone by enabling the same policy for additional groups. If you run into issues, contact Google Cloud Support.

Sign in to a Chrome device with SAML single sign-on

Once SAML SSO on Chrome devices has been configured for your organization, users will see the following steps when they sign in to a Chrome device.

Requirements

  • You’ve completed all of the steps described above.

Sign-in Sequence:

Instruct your users to do the following when first signing in to their Chrome device. Note: You will need to test this before rolling it out to your organization.

  1. Enter your username (full email address) on the Chrome device sign in page. A password is not needed in this step.
  2. You will be taken to your organization’s SAML SSO page. Enter your SAML credentials on the SAML provider login page.
  3. If prompted, re-enter your password to complete sign-in. This step is only necessary if your Identity Provider has not yet implemented the Credentials Passing API. This is necessary to allow offline access to your Chrome device and also to be able to unlock it.
  4. When signed in successfully, your session starts and the browser opens. The next time you sign in, you will only need to enter your password once when you start up your Chrome device. If you run into issues, please contact your IT administrator.

FAQs

After signing in with my SAML provider, I am prompted to re-enter my password. Is that normal?

Yes. This is necessary to allow offline access to your Chrome device and to be able to unlock it. We have an API that SAML vendors can implement to remove the need for this confirmation step.

If a user changes their password on another device, how do you make sure the Chrome device gets updated to unlock with the new password?

We recommend you use the simple update method on our Directory API which will notify our authentication server when a password is changed. Enter the password value in the Request body. If the API is not used, the password change will be detected at the next online login flow. By default, the Chrome device will force an online sign in every 14 days even if the password didn't change. You can change this period in the Admin console by going to Devicesand thenChromeand thenSettingsand thenUsers & browsersand thenSingle sign-on online login frequency.

My password has special characters, will it work?

We support ASCII printable characters only.

I see the screen “Oops, couldn't sign you in. Sign-in failed because it was configured to use a non-secure URL. Please contact your administrator or try again”. What should I do?

If your employees are reporting this error message, it means that the SAML IdP is trying to use an HTTP URL and only HTTPS is supported. It is important that the entire sign-in flow uses HTTPS only. So even if the initial sign-in form is served over HTTPS, you can get this error if your IdP redirects to an HTTP URL somewhere later in the process. If you fix this and users are still getting the error message, please contact Google Cloud Support.

I am an IT administrator. Why am I am not being redirected to my SAML Identity Provider?

This is by design. In the event of something going wrong during setup, we still want the administrator to be able to login and troubleshoot the problem.

Does SSO work with TLS and SSL content filters?

Yes. Please follow Set up TLS (or SSL) inspection on Chrome devices for setup. In addition to allowed domains documented in Set up a host name allowlist, you also need to allow your SSO Identity Provider domain and www.google.com.

How does SSO work with camera permissions?

To give third party software direct access to the device camera on behalf of your SSO users, you can enable single sign-on camera permissions.

Go to Devicesand thenChromeand thenSettingsand thenDeviceand thenSingle sign-on camera permissionsand thenWhitelist of single sign-on camera permissions.

Learn more about this setting.

By enabling this policy, the administrator grants third parties access to their users' cameras on their users' behalf. The administrator should ensure that they have proper consent forms in place for users as the system does not show end users any consent forms once camera permission is granted via this policy.
Was this helpful?
How can we improve it?