Google Workspace supports Single Sign-On for apps that leverage federation through SAML. While many apps support this standard, there are thousands of apps that don't support federation and require credentials for sign-on.
As an administrator, you can use the password vaulted apps service to manage access to some of the apps that don't support federation and that are available to users on the user Dashboard. The password vaulted apps service saves login credential sets for applications and assigns those credential sets to users through group association. When a user has access to one of these applications through a group, they can sign in to the application through the user dashboard, or they can sign in directly from the specific application. This functionality is possible by leveraging Chrome or Firefox extensions/plugins.
When adding an app to the password vaulted apps service, you can search and choose from the available web-based applications in the app library, or you can add a custom app. You can then manage usernames and passwords safely while providing users in your organization with quick one-click access to all of the apps they already use.
Before you configure password vaulted apps for your organization, we recommend that you set up a new group structure in the Google Admin console that’s designed specifically for password vaulted apps. Setting up a new group structure helps you avoid impacting other workflows and setups in the Admin console, and it improves the experience for users as they access password vaulted apps on the user Dashboard.
Follow these steps when setting up a new group structure that’s designed specifically for password vaulted apps:
- Create at least one access group for each app that you add to the password vaulted apps service. These groups will be the containers for setting up group assignments for users. For details and instructions about using groups to control access, see Ways to create groups.
- Add users (or other groups) to your access groups.
For example, you can set up your group structure as follows (where pva stands for password vaulted apps):
|App||App group (holds credentials)||Members (groups, users, roles)|
|pva_twitter||Sales team, Operations|
|Slack||pva_slack_pr||Public relations, Marketing|
After you add the apps to the password vaulted apps service, you can then manage access to the apps by managing group membership.
- In some cases, you might have multiple instances of an app (also described as multi-tenant apps) on the user Dashboard, with different log-in URLs for each app. For example, you might set up an installation of the Slack app for public relations and marketing, and set up another installation for legal counsel, as shown in the table above.
- You must create these groups in the Admin console, Directory API, or Google Cloud Directory Sync. Groups created in Groups for Business can’t be used as access groups. (The Admin console doesn’t show whether a group was created in Groups for Business.)
- With the password vaulted apps service, you can manage access to apps through group association, but not through association with organizational units.
To configure password vaulted apps in the Google Admin console:
- Add apps to the password vaulted apps service (select from the existing catalog)
- Add login credentials
- Grant access to apps to users or groups
- As an administrator, when you change passwords in third-party apps, be sure to update the passwords in the Google Admin console at Apps > Password Vaulted apps.
- When an employee leaves the company, admins may want to change the underlying credential—both in the third-party app and in the Google Admin console—for apps that use the same credential. Additionally, for individual accounts, you might want to remove that account in the app. In the Admin console, select the app in question, go to the credentials card and make the change. Do this only after first changing the third-party app's password.
- If an application includes 2-step verification, and if you add that application to the password vaulted apps service, the Chrome extension will behave as normal—in other words, the extension will fill in the account’s username and password for the user—but the user will be prompted for the second factor when they try to access the password vaulted app.
- Password vaulting provides control over credentials and access to apps. To ensure passwords are not inadvertently revealed, be sure other password manager applications or applications that save passwords on login are not active for users.
- Password vaulted apps is only supported in Chrome and Firefox, and is currently not supported for users on mobile devices.
- As with other password managers, the passwords for logging users into websites can be accessed by users while using development tools such as the Chrome Developers Console. If the credentials are sensitive and you can’t risk having the passwords obtained by users, please consider using SAML authentication instead of password vaulted apps.
To access applications from the password vaulted apps service, your users must install the Cloud Identity Account manager browser extension for Chrome, using the instructions below.
Or, if you use Chrome Browser Cloud Management, you can install the extension for your users. For details on installing the extension for your users, see Manage Chrome Browser extensions in the Admin console and Automatically install apps and extensions. Note that this extension must be installed using the following extension ID:
To help your users gain access to password vaulted apps, have them follow these steps:
- Sign in to your corporate account—not your personal Gmail account.
- Install the Cloud Identity Account Manager browser extension for Chrome. Go to the following URL:
- Click Add to Chrome.
Optional: If you haven’t yet installed the Cloud Identity Account Manager browser extension, you’ll be prompted to install the extension if you click a password vaulted app within the user Dashboard. In the pop-up window, click Install extension. You can then follow the steps to add the extension.
- If you haven’t signed in to your Chrome profile while trying to install the Cloud Identity Account Manager browser extension, you’ll be prompted to turn on sync before continuing. Be sure to sign in with your corporate account, click Link data, and then—in the Turn on Sync window—click Yes, I’m in.
- After installing the extension, you’ll be able to use any password vaulted applications on the Dashboard for which your IT administrator has provided access. Additionally, you may have the option to sign in to password vaulted apps automatically by visiting a third-party site (for example, box.com or twitter.com).
- The functionality of the Firefox browser extension is identical to Chrome, but there’s no need for profile sync with Firefox.
- For additional details about the Dashboard, see Get started with Google Workspace Dashboard.