Tag Archives: identity

Five new third-party applications added to G Suite pre-integrated SAML apps catalog

What’s changing 

We’re adding SAML integration for five additional applications:
  • Firstbird
  • Foodee
  • Hive
  • LaunchDarkly
  • RECOG
Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

Who’s impacted 

Admins only

Why you’d use it 

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

How to get started 

  • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
  • End users: No action needed.

Additional details 

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

Helpful links 

Help Center: Using SAML to set up federated SSO 
Help Center: Set up your own custom SAML applicationAvailability 

Rollout details 

G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.

Stay up to date with G Suite launches

Use an Android phone for 2-step verification on iOS devices

Quick launch summary 

Earlier this year we announced the ability to use your Android phone’s built-in security key for two-factor authentication in G Suite.

Now, you can use devices with Android 7.0+ (Nougat) to verify your sign-in to Google and Google Cloud services on Apple iPads and iPhones.
To learn more about using your Android phone’s built-in security key to verify sign-in on iOS devices, see our Security Blog


Availability 

Rollout details 
G Suite editions 
  • Available to all G Suite editions 
On/off by default? 
  • If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default. 

Use an Android phone for 2-step verification on iOS devices

Quick launch summary 

Earlier this year we announced the ability to use your Android phone’s built-in security key for two-factor authentication in G Suite.

Now, you can use devices with Android 7.0+ (Nougat) to verify your sign-in to Google and Google Cloud services on Apple iPads and iPhones.
To learn more about using your Android phone’s built-in security key to verify sign-in on iOS devices, see our Security Blog


Availability 

Rollout details 
G Suite editions 
  • Available to all G Suite editions 
On/off by default? 
  • If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default. 

SSO + network mask domains can now force Google password reset on next login

What’s changing 

We’re providing more control over user password policies for some customers using third-party identity providers (IdPs) via SAML. Previously, these customers could not enforce the “Require password change” setting for their users. Now, SSO customers who have a network mask defined can turn on this setting and force their users to change their Google password the next time they log in using their G Suite or Cloud Identity credentials.

Who’s impacted 

Admins only

Why you’d use it 

For many customers who use third-party IdPs via SAML, preventing “Require password change” is the desired behavior. Their users only need to know their credentials for their IdP so forcing them to change their Google password is not meaningful.

However, some G Suite admins in domains with a third-party IdP use a network mask to allow some of their users to log in using their G Suite or Cloud Identity credentials. In such deployments, there may be users who sign in using their G Suite credentials. For these users, admins may want to generate a temporary password and then have the user change it on the next login. This update will help admins of domains that use SSO and a network mask to do this.

How to get started 


  • Admins: This update will only impact domains with a SAML IdP configured for SSO and a network mask. To check if you have a network mask, go to Admin console > Security > Network masks and see if there’s information defined. 




  • Admins at domains with SAML IdP configured for SSO and a network mask can turn on the setting in the Admin console (“Require password change”) or via the Admin SDK (“Do Force password change on Next Login”). Once turned on, it will be enforced for that user’s next login. See the sample screenshot below. 




  • If your domain has SSO but does not have a network mask configured, then there will be no change. The required password change option will show as OFF and you won’t be able to turn it on. See the sample screenshot below. 


Helpful links 

Help Center: Set up single sign-on for managed Google Accounts using third-party Identity providers
G Suite Admin SDK documentation for updating user details 

Availability 

Rollout details 


G Suite editions 

  • Available to all G Suite editions 

On/off by default? 

  • The new setting is automatically available depending on whether or not an SSO domain has a network mask configured.

Stay up to date with G Suite launches

Consolidated Google Groups audit logs now available in G Suite and GCP

What’s changing 

Consolidated Google Groups audit logs are now available in the G Suite AdminSDK Reports API and GCP Cloud Audit Logs. Specifically you’ll notice:

  • Changes in the G Suite AdminSDK Reports API: We’re introducing a new consolidated log named groups_enterprise, which includes changes to groups and group memberships across all products and APIs. These were previously split across the groups and admin audit logs. 
  • Changes in GCP Cloud Audit Logging: We’re adding Google Groups information to Cloud Audit Logs (CAL) in Stackdriver. See our Cloud Blog post for more details on how this could help GCP customers. Note that this will not change visibility of these logs in the G Suite Admin console - it just adds them to Cloud Audit Logs (CAL) in Stackdriver as well. 


Who’s impacted 

G Suite and GCP Admins only

Why you’d use it 

These changes will help improve the security and usability of Groups as an IAM tool by streamlining administration, transparency, and access monitoring.

How to get started 


  • Admins: 
    • Changes in the G Suite AdminSDK Reports API: Get started with the AdminSDK Reports API
    • Changes in GCP Cloud Audit Logging: This is an opt-in feature that can be enabled at G Suite Admin console > Company profile > Legal & Compliance > Sharing options. 
  • End users: No action needed. 


Additional details 

Changes in the G Suite AdminSDK Reports API 
Changes to groups have historically been logged in either the groups or admin audit logs. Changes made in the Google Groups product are logged in the groups log while changes made through admin tools like the Admin console, AdminSDK, and GCDS are logged in the admin log. As part of our efforts to streamline administration and increase transparency, we’re introducing a new consolidated log named groups_enterprise, which includes changes to groups and group memberships across all products and APIs. This new log is now available through the AdminSDK Reports API and will be available in the Admin console in the future.

Changes in GCP Cloud Audit Logging 
Google Groups are the recommended way to grant access to GCP resources when using IAM policies. GCP customers have told us that having group audit logs available in Google Cloud Audit Logs would help streamline security and access monitoring. With that in mind, we’re adding Google Groups information to Cloud Audit Logs (CAL) in Stackdriver. See our Cloud Blog post for more details on how this can help GCP customers.

Helpful links 

Cloud Blog: Integrated Google Groups Audit Transparency from G Suite to GCP Cloud Audit Logs 
Get started with the G Suite AdminSDK Reports API 

Availability 

Rollout details 


G Suite editions 
  • Google Groups are available to all G Suite editions. 

On/off by default? 
  • G Suite AdminSDK Reporting API for consolidate group events will be ON by default. 
  • GCP Cloud Audit Logging for groups will be OFF by default and can be enabled at the domain level.


Stay up to date with G Suite launches

Automatically provision users with three additional apps

What’s changing 

We’re adding auto-provisioning support for three new applications:
  • Hootsuite
  • Huddle
  • OfficeSpace

Who’s impacted 

Admins only

Why you’d use it 

When auto-provisioning is enabled for a supported third-party application, any users created, modified, or deleted in G Suite are automatically added, edited, or deleted in the third-party application as well. This feature is highly popular with admins, as it removes the overhead of managing users across multiple third-party SaaS applications.

How to get started 

  • Admins: For more information on how to set up auto-provisioning, check out the Help Center.
  • End users: No action needed.

Helpful links 

Help Center: Automated user provisioning 
Help Center: Using SAML to set up federated SSO 

Availability 

Rollout details 

G Suite editions 
  • G Suite Education, Business, and Enterprise customers can enable auto-provisioning for all supported applications 
  • G Suite Basic, Government, and Nonprofit customers can enable auto-provisioning for up to three applications 

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.

Stay up to date with G Suite launches

Android phone’s built-in security key now generally available

Quick launch summary 

At Next 2019, we announced beta functionality to use an Android phone’s built-in security key for 2-step verification. We’re now making this generally available. All phones running Android 7.0+ (Nougat) have a built-in key that can be activated. This means your users can use existing phones for multi-factor authentication in G Suite to protect against phishing.

For more details, see our beta announcement or our Cloud Blog post.

Availability 

Rollout details



G Suite editions
 Available to all G Suite editions

On/off by default? 
If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default.

Stay up to date with G Suite launches

Six new third-party applications added to G Suite pre-integrated SAML apps catalog

What’s changing 

We’re adding SAML integration for six additional applications:
  • Comeet
  • CyberArk
  • Drift
  • Qmarkets
  • Qualtrics
  • Swrve
Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

Who’s impacted 

Admins only

Why you’d use it 

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

How to get started 

  • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
  • End users: No action needed.

Additional details 

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

Helpful links 

Help Center: Using SAML to set up federated SSO 
Help Center: Set up your own custom SAML applicationAvailability 

Rollout details 

G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.

Stay up to date with G Suite launches

Use an Android phone as a security key for 2-Step Verification

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.



What’s changing

We’re adding an option to use your Android phone’s built-in security key for multi-factor authentication in G Suite. All phones running Android 7.0+ (Nougat) have a built-in key which can be activated. This means your users can use existing phones as a primary 2-Step Verification method to protect against phishing. Using a phone as a security key is currently offered in beta.

Who’s impacted 

Admins and end users

Why you’d use it 

2-Step Verification greatly improves the security of your account by adding another layer to your account security and making it more resistant to phishing attacks. By adding the additional option of using your Android phone’s built-in security key, we’re expanding access to phishing-resistant 2-Step Verification method in a convenient form - your phone. This can make it faster for you to implement 2-Step Verification in your organization while keeping user training and overall costs to a minimum. 

Previously, in order to protect your users against password phishing, the only option was to use a security key fob. With this beta, their mobile phone can be that security key.

How to get started 




Additional details 


  • Available to G Suite, Cloud Identity, GCP customers, and personal Google Accounts. 
  • Available on phones running Android 7.0+ (Nougat) with Google Play Services. 
  • Compatible with Bluetooth-enabled Chrome OS, macOS X, or Windows 10 devices with a Chrome browser. 



2-Step Verification on a Pixel 3 

Helpful links 




Availability 

Rollout details



G Suite editions 

  • Available to all G Suite editions in beta. 


On/off by default? 

  • If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default.


Stay up to date with G Suite launches

New 2-Step Verification options for G Suite accounts

What’s changing 

We’re updating how 2-Step Verification works for G Suite. This will make new 2-Step Verification methods available for some devices, and update the 2-Step Verification user interface on mobile and desktop devices. There are three key impacts:

  • New 2-Step Verification interfaces 
  • Different screens on different browsers (Safari, Edge, etc.) 
  • Expanded Bluetooth security key support 


Who’s impacted 

Admins and end users

Why you’d use it 

We hope that these updates make 2-Step Verification easier to use. 2-Step Verification puts an extra barrier between your business and cybercriminals who want to access business data. Turning on 2-Step Verification is the single most important thing you can do to make your accounts more secure and protect your business.

How to get started 




Additional details 

New 2-Step Verification interfaces: You may see new illustrations, text, and instructions in the images, dialogs in the 2-Step Verification flows when using a bluetooth or usb security key. See images below for examples of the types of changes.

Different screens on different browsers: You may see different flows on Chrome, Safari, Firefox, Edge, and other browsers. Previously the service provider (Google) was responsible for showing these dialogs. Now the web browser is responsible. As a result, the flow may be different on each browser.

Expanded Bluetooth security key support: Bluetooth keys will start rolling out, and can be enabled with a flag on Linux.


The new 2-Step Verification screen on Google Chrome browser 


The old 2-Step Verification screen 

Helpful links 

Help Center: Protect your business with 2-Step Verification

Availability 

Rollout details 



G Suite editions
Available to all G Suite editions.

On/off by default? 
The updated user interface will be ON by default.

Stay up to date with G Suite launches