SSO lets users sign in just one time to get access to all their enterprise cloud applications. When SSO is set up, users can sign in to their third-party IdP, then access Google apps directly without a second sign-in, with these exceptions:
- Even if they've already signed in to their IdP, as an extra security measure, Google will sometimes ask them to verify their identity. For more information, (and details on how to disable this verification if necessary), go to Understanding SAML secure sign-in.
- You can set up additional two-step verification for users who access Google services. Two-step verification is normally bypassed when SSO is turned on. For more information, go to Enable challenges with SSO.
SSO is also available on Chrome devices. For details, go to Configure SAML single sign-on for Chrome Devices.
Pre-2.1 Android devices use Google authentication. If you try to sign in with these devices, you are prompted for your full managed Google account email address (including username and domain), and you go directly to the application after you sign in. Google does not redirect you to the SSO sign-in page, regardless of the network mask.
With iOS applications, when the SSO Sign-in page URL starts with "google." (or some variation), the Google iOS app is redirected to Safari. This causes the SSO process to fail. The full list of forbidden prefixes is:
You'll need to change any SSO Sign-in page URLs that have these prefixes.
SSO and Secure LDAP
Secure LDAP requires a Google password and is incompatible with SSO.