Configure SAML single sign-on for Chrome apps

You can use the Security Assertion Markup Language (SAML) single sign-on (SSO) for Chrome Apps extension when you need to configure SAML SSO for Chrome apps.

Users can sign in to a Chrome app with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP).

Considerations

  • SAML single sign-on (SSO) SSO is a federated authentication that must be configured for your service’s backend. SSO works automatically with SAML-enabled apps that users visit through the Chrome browser, but it doesn’t work for Chrome apps they install from the Chrome Web Store such as Citrix Receiver or Cisco AnyConnect.
  • The SAML SSO for Chrome Apps extension only hands out cookies to allowlisted apps into allowlisted domains.
  • You should only allowlist apps that you fully trust with your users’ data. Make sure you have consent forms for users because you are granting permissions to certain apps on users’ behalf. The system will not show users any consent forms once permission is granted by a policy.
  • Cookie access is gated over a primary filter for domain and secondary filters for cookie names, paths, and secure properties. These secondary parameters are applied in addition to the domain filtering. An entry with no domain provided does not return any cookies. An empty allowlist results in the default behavior of blocking all incoming requests and not handing over any cookies.

Step 1: Set up your app for SAML SSO

  1. Follow the relevant SAML vendor’s documentation to properly configure federated authentication for their services.
  2. Verify your setup by configuring SAML SSO for Chromebooks.
  3. Sign into the Chromebook using SAML and go to your SAML vendor’s sign-in page in Chrome browser. Do not sign in via their Chrome app. 
    If the user is automatically signed in, you have set up SAML for both Google’s and your vendor’s backends.

Step 2: Get a list of allowlisted domains

You can manually inspect the cookies that are set by your SAML provider in Chrome OS and collate a list of allowlisted domains using the Cookie API Test Extension. This is a live version of the extension from Chrome’s API samples. Alternatively, ask your Identity administrator for the list.

  1. Install the Cookie API Test Extension.
  2. Sign in and directly, without visiting any other websites, inspect the Chrome Browser’s cookie store.
    You can also download the zip file and install it manually via chrome://extensions.

Step 3: Set up the configuration file

Set up a configuration file for the allowlisted domains. The full schema for this mapping can be found in the extension’s schema.json file.

An example configuration:

{
  "whitelist": {
    "Value": [
      {
        "appId": "aaaaabbbbbbcccccddddd",
        "domain": "domain1"
      },
      {
        "appId": "aaaaabbbbbbcccccddddd",
        "domain": "domain1",
        "name": "Secondary Cookie Name",
        "secure": true
      },
      {
        "appId": "eeeeefffffgggggghhhhhhh",
        "domain": "domain1",
        "path": "secondary.path"
      }
    ]
  }
}

Step 4: Deploy the SAML SSO for Chrome Apps extension

  1. Automatically install the SAML SSO for Chrome Apps extension for users in your organization by navigating to the corresponding App Management URL. For information about how to force-install specific apps, see Automatically install apps and extensions
  2. Upload the configuration file saved in Step 3. For information about installing custom policies for apps and extensions, see Policy for extensions.

Report an Issue

If you have an issue or feature request for the SAML SSO for Chrome Apps extension, file it on the Github repository.

Related topics

Configure SAML single sign-on for Chrome devices

Was this helpful?
How can we improve it?