Configure SAML Single Sign-On for Chrome apps
Chrome devices can be configured for Single Sign-On access via an enterprise’s SAML provider. This ensures that users sign in once to their device and their SSO carries through their session. While this works automatically with SAML-enabled applications that users visit through the Chrome browser, it doesn’t work for Chrome apps they install via the Chrome Web Store such as Citrix Receiver, Cisco AnyConnect, and others.
The SAML SSO for Chrome Apps extension helps you configure SAML SSO for Chrome apps. The relevant setup steps are outlined in the following sections.
Step 1: Setup your app for SAML SSO
SAML SSO is federated authentication that needs to be configured for your service’s backend as well. This configuration is vendor-specific, so please work with the corresponding vendor’s teams and documentation to properly configure federated authentication for their services.
To verify your setup on this first step, configure SAML SSO for Chromebooks, and then go to your service’s login page in Chrome browser (not via their Chrome app) after logging into the Chromebook via SAML. If the service utilizes the browser’s SAML state and logs the user in, then you have properly set up SAML for both Google’s and your vendor’s backends, and you can proceed to Step 2.
Step 2: Collate relevant SAML cookie domains
The SAML SSO for Chrome Apps extension only hands out cookies to whitelisted apps into whitelisted domains. To get a list of these domains, you can either ask your Identity administrator for that list or manually inspect the cookies that are set by your SAML provider in Chrome OS. The latter can be done by logging in and directly (without visiting any other websites) inspecting Chrome’s cookie store.
You can install the Cookie API Test Extension to inspect cookies. Note that this is simply a live version of the extension from Chrome’s API samples; and if it fits the admin better, then that zip can be downloaded and installed manually via chrome://extensions.
Step 3: Set Up the configuration file
Once a list of apps and domains to be whitelisted is available, a configuration file can be set up by mapping these values to each other. The full schema for this mapping can be found in the extension’s schema.json file.
Cookie access is gated over a primary filter for domain and secondary filters for cookie names, paths, and secure properties. These secondary parameters will be applied in addition to the domain filtering. An entry with no domain provided will not return any cookies. An empty whitelist will result in the default behavior, which is to block all incoming requests and not hand over any cookies.
An example configuration:
"name": "Secondary Cookie Name",
Step 4: Deploy the SAML SSO for Chrome Apps extension
Admins can now deploy the SAML SSO for Chrome Apps extension by navigating to the corresponding App Management URL. First, force-install the extension via the Force Installation option for the proper Organizational Unit. Then upload the configuration file saved from Step 3.