Security Assertion Markup Language (SAML) single sign-on (SSO) support for Chrome devices allows users to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). Signing in is very similar to signing in to a G Suite account from a browser via SAML SSO with G Suite. However, because a user is signing in to a device, there are several additional considerations.
- Chrome device running Chrome OS version 36 or higher
- Domain configured for SAML SSO for G Suite
- SAML URL using HTTPS not HTTP
- Chrome licenses for your devices
If you haven’t already, set up SSO with your G Suite account.
Set up and test SAML SSO on a test domain you own. If you don’t have a test domain, test SAML SSO with a small number of users by creating a test group and enabling SSO for users only in that group. After testing SAML SSO with a small number of users, roll it out to approximately 5% of your users.
- In the Google Admin console, click Device ManagementChrome managementUser & browser settings.
- Under Single Sign-On, choose Enable SAML-based Single Sign-On for Chrome Devices from the drop-down menu.
- Click Save Changes.
Step 3 (Optional):
To allow single sign-on users to log in to internal websites and cloud services that rely on the same Identity Provider on subsequent sign-ins to their Chrome device, you can enable SAML SSO cookies.
Go to Device managementChrome managementDevice SettingsSingle Sign-On Cookie Behavior. Learn more about this setting.
Step 4 (For Chrome devices configured using AD FS):
In Active Directory Federation Services (AD FS), Windows Integrated Authentication (WIA) automatically lets users sign in to browser-based apps and your organization’s intranet without having to manually enter their username and password. Chrome OS only supports WIA on Chrome devices that are managed by Microsoft® Active Directory®, not cloud-managed Chrome devices. So, authentication requests from cloud-managed Chrome devices fail.
To allow WIA in Chrome Browser on other devices that you manage and Chrome devices that are managed by Active Directory, you need to configure the WIASupportedUserAgentStrings property using the Set-AdfsProperties commandlet to only allow the user agents that you specify.
- Sign in to your primary ADFS server and open a PowerShell session.
- Add the Mozilla user agent to the list of supported browsers.
When Mozilla is on the supported list, Chrome Browser is also supported.
- For Microsoft® Windows®, enter:
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Mozilla/5.0 (Windows NT")
- For Apple® macOS®, enter
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Mozilla/5.0 (Macintosh; Intel Mac OS X")
- For Microsoft® Windows®, enter:
For details about integrating Chrome devices with Active Directory server, see Manage Chrome devices with Active Directory.
Step 5 (Optional):
To allow single sign-on users to navigate directly to your SAML IdP page instead of first having to type in their email address, you can enable SAML SSO IdP Redirection.
Go to Device managementChrome managementDevice SettingsSingle Sign-On IdP Redirection. Learn more about this setting.
After testing SAML SSO for Chrome devices on 5% of your organization, you can roll it out to everyone by enabling the same policy for additional groups. If you run into issues, contact Google Cloud Support.
Sign in to a Chrome device with SAML single sign-on
Once SAML SSO on Chrome devices has been configured for your organization, users will see the following steps when they sign in to a Chrome device.
- You’ve completed all of the steps described above.
Instruct your users to do the following when first signing in to their Chrome device. Note: You will need to test this before rolling it out to your organization.
- Enter your username (full email address) on the Chrome device sign in page. A password is not needed in this step.
- You will be taken to your organization’s SAML SSO page. Enter your SAML credentials on the SAML provider login page.
- If prompted, re-enter your password to complete sign-in. This step is only necessary if your Identity Provider has not yet implemented the Credentials Passing API. This is necessary to allow offline access to your Chrome device and also to be able to unlock it.
- When signed in successfully, your session starts and the browser opens. The next time you sign in, you will only need to enter your password once when you start up your Chrome device. If you run into issues, please contact your IT administrator.
After signing in with my SAML provider, I am prompted to re-enter my password. Is that normal?
Yes. This is necessary to allow offline access to your Chrome device and to be able to unlock it. We have an API that SAML vendors can implement to remove the need for this confirmation step.
If a user changes their password on another device, how do you make sure the Chrome device gets updated to unlock with the new password?
We recommend you use the simple update method on our Directory API which will notify our authentication server when a password is changed. Enter the password value in the Request body. If the API is not used, the password change will be detected at the next online login flow. By default, the Chrome device will force an online sign in every 14 days even if the password didn't change. You can change this period in the Admin console by going to Device ManagementChrome ManagementUser & browser settingsSingle Sign-On Online Login Frequency.
My password has special characters, will it work?
We support ASCII printable characters only.
I see the screen “Oops, couldn't sign you in. Sign-in failed because it was configured to use a non-secure URL. Please contact your administrator or try again”. What should I do?
If your employees are reporting this error message, it means that the SAML IdP is trying to use an HTTP URL and only HTTPS is supported. It is important that the entire sign-in flow uses HTTPS only. So even if the initial sign-in form is served over HTTPS, you can get this error if your IdP redirects to an HTTP URL somewhere later in the process. If you fix this and users are still getting the error message, please contact Google Cloud Support.
I am an IT administrator. Why am I am not being redirected to my SAML Identity Provider?
This is by design. In the event of something going wrong during setup, we still want the administrator to be able to login and troubleshoot the problem.
Does SSO work with TLS and SSL content filters?
Yes. Please follow Set up TLS (or SSL) inspection on Chrome devices for setup. In addition to whitelisted domains documented in Set up a host name whitelist, you also need to whitelist your SSO Identity Provider domain and www.google.com.
How does SSO work with camera permissions?
To give third party software direct access to the device camera on behalf of your SSO users, you can enable single sign-on camera permissions.
Go to Device managementChrome managementDevice SettingsWhitelist of single sign-on camera permissions. Learn more about this setting.