Tag Archives: SAML

Streamlined and intuitive app management in the Admin console with new unified experience

What’s changing 

We’re creating a single place to manage web and mobile apps in the Admin console. With the new location, we’ll also be updating the management interface to be more consistent and intuitive. You’ll find this at Admin console > Apps > Web and mobile apps. There, you’ll be able to see configured apps, search apps, add apps, manage user access, adjust settings, and more for: 
You’ll no longer be able to manage apps in the previous locations. However, you’ll still manage the Android available apps and system apps settings in Admin console > Devices > Mobile settings


Who’s impacted 

Admins 


Why it’s important 

By reducing the locations you need to use to manage different categories of apps and creating simplified and consistent workflows, it will be quicker and simpler to manage app use and deployment for your organization. 


Additional details

New location for web and mobile apps:


New and consistent experience to add web and mobile apps:


Unified settings and quick controls to view access and manage apps:


Getting started 

  • Admins: Find the new app management location at Admin console > Apps > Web and mobile apps. Visit the Help Center to learn more about managing Android and iOS apps, and SAML apps for your organization. 
  • End users: No end user impact. 

Rollout pace 

Availability 

Mobile app management: 
  • Available to Business Plus; Enterprise; Education and Enterprise for Education; G Suite Basic and Business; and Nonprofits customers
  • Not available to Business Starter, Essentials, and Enterprise Essentials customers.
SAML app management: 
  • Available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education, Enterprise for Education, and Nonprofits customers

Resources 

Context-Aware Access for SAML apps now generally available

Quick launch summary 

In April, we announced a beta which enabled admins to control access to SAML apps based on context. Now, we’re making this feature generally available. 

You can use Context-Aware Access (CAA) to create granular access control policies for pre-integrated SAML apps or custom SAML apps based on attributes including the user, location, device security status, and IP address. This can improve your security posture by reducing the chances that there’s unintended access to specific apps and the data in them. 

See our beta announcement for more details on how the feature works and how you can use it. CAA can be used for SAML apps (policy evaluation on sign-in) that use Google as the identity provider. A third-party identity provider (IdP) can also be used (third-party IdP federates to Google Cloud Identity and Google Cloud Identity federates to SAML apps). Visit our Help Center to see how to set up single sign-on for managed Google Accounts using third-party Identity providers.


Getting started 

  • Admins: This feature will be available by default. Any policies created during the beta will persist when the feature becomes generally available. 
  • End users: No end-user impact until turned on by the admin. 

Rollout pace 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 

Resources 

Context-Aware Access for SAML apps available in beta

What’s changing 

We’re enhancing Context-Aware Access (CAA) with a beta that enables admins to use it to control SAML apps. This gives admins the ability to control access to SAML apps based on the user, the device, and the context they are in when they are trying to access an app.

CAA for SAML apps will work for customers that use Google as the primary identity provider (IdP) to enable access to third party apps from pre-integrated SAML apps or custom SAML apps. It’s available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers only. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.

Who’s impacted 

Admins only

Why you’d use it 

Using Context-Aware Access, you can create granular access control policies to apps based on attributes including the user, location, device security status, and IP address. This can improve your security posture by reducing the chances that there’s unintended access to specific apps and the data in them. Some ways you could use CAA for SAML include:

  • Only allow access to your CRM app when the user is on the corporate network. 
  • Only allow access to a cloud storage app if the user has an up to date operating system and an encrypted device. 
  • Only permit IT admins to access certain tools from a remote location. 
  • Only permit users in a specific country to access certain apps. 


Additional details 


Builds on the CAA for G Suite infrastructure 
Controlling CAA for SAML apps will use the same infrastructure and admin console interface as CAA for G Suite. That means you can use any pre-configured access levels, user groups, and end-user messaging for CAA to SAML. Use our Help Center to find out more about managing context aware access in G Suite.

CAA for SAML only enforced at time of sign-in 
CAA for SAML apps is only enforced at the time of sign-in. This is different from CAA for G Suite applications, which offers a higher level of control. G Suite applications are built by Google and CAA controls are enabled for continuous evaluation of context (IP, device attribute, etc) during use. As SAML apps are non-Google applications using Google sign-in, we’re only able to evaluate context at the point where a user signs into these applications using Google sign-in. After that sign-in, the context is not evaluated again until the session is terminated and users try to sign-in again with Google.

Getting started 


  • Admins: This is an open beta, so the controls will automatically become available to you if you are a G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, or Drive Enterprise customer. 
  • End users: No end-user impact until turned on by the admin. 

Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers. 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers. 

Resources 


Grant SAML app access to specific groups

Quick launch summary 

You can now enable SAML apps for specific groups of users in your organization. You could previously only enable them by organizational unit (OU). This provides extra flexibility, as you can now turn apps on or off for sets of users without changing your organizational structure.

SAML apps enable users to access enterprise cloud applications after signing in just once through Single-Sign-On (SSO). You can easily enable SAML with many pre-integrated applications in our third-party apps catalog, or you can set up custom SAML applications.

Use our Help Center to find out how to configure SAML applications.

Getting started 


  • Admins: This feature will be available by default and can be controlled at the group level. Visit the Help Center to learn more about how to configure SAML apps for G Suite
  • End users: There is no end-user setting for this feature. 

Control SAML apps by groups 

Rollout pace 


Availability 



  • Available to all G Suite customers

G Suite and Google Cloud Identity Premium now support password vaulted apps for single sign-on

What’s changing 

We're making it easy for admins to enable single sign-on for thousands of additional apps that don’t support modern authentication standards like SAML and OIDC. The combination of standards based and password-vaulted app support will deliver one of the largest SSO app catalogs in the industry. 

Who’s impacted 

Admins and end users

Why you’d use it 

Google supports single sign-on for apps in the G Suite Marketplace, apps that support SAML or OIDC as an authentication mechanism, and apps that leverage LDAP for sign-on. While this existing solution works for many apps, some of our customers rely on apps that don’t support these standards. others don’t support federated single sign-on. This release provides seamless one-click access for users and a single point of management, visibility, and control for admins.

With password vaulting, admins can:

  • Manage credentials in a single space,
  • Securely enable access to shared credentials,
  • Manage access to app credentials based on group membership, and
  • Log and access reports on usage of the credentials within their organization.

End users can view and login to their apps with a single click within a new user dashboard.

How to get started



Availability

Rollout details
G Suite editions
  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, or G Suite for Nonprofits

On/off by default?
  • This feature will be available by default.  

  Stay up to date with G Suite launches

Five new third-party applications added to G Suite pre-integrated SAML apps catalog

What’s changing 

We’re adding SAML integration for five additional applications:
  • Firstbird
  • Foodee
  • Hive
  • LaunchDarkly
  • RECOG
Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

Who’s impacted 

Admins only

Why you’d use it 

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

How to get started 

  • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
  • End users: No action needed.

Additional details 

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

Helpful links 

Help Center: Using SAML to set up federated SSO 
Help Center: Set up your own custom SAML applicationAvailability 

Rollout details 

G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.

Stay up to date with G Suite launches

SSO + network mask domains can now force Google password reset on next login

What’s changing 

We’re providing more control over user password policies for some customers using third-party identity providers (IdPs) via SAML. Previously, these customers could not enforce the “Require password change” setting for their users. Now, SSO customers who have a network mask defined can turn on this setting and force their users to change their Google password the next time they log in using their G Suite or Cloud Identity credentials.

Who’s impacted 

Admins only

Why you’d use it 

For many customers who use third-party IdPs via SAML, preventing “Require password change” is the desired behavior. Their users only need to know their credentials for their IdP so forcing them to change their Google password is not meaningful.

However, some G Suite admins in domains with a third-party IdP use a network mask to allow some of their users to log in using their G Suite or Cloud Identity credentials. In such deployments, there may be users who sign in using their G Suite credentials. For these users, admins may want to generate a temporary password and then have the user change it on the next login. This update will help admins of domains that use SSO and a network mask to do this.

How to get started 


  • Admins: This update will only impact domains with a SAML IdP configured for SSO and a network mask. To check if you have a network mask, go to Admin console > Security > Network masks and see if there’s information defined. 




  • Admins at domains with SAML IdP configured for SSO and a network mask can turn on the setting in the Admin console (“Require password change”) or via the Admin SDK (“Do Force password change on Next Login”). Once turned on, it will be enforced for that user’s next login. See the sample screenshot below. 




  • If your domain has SSO but does not have a network mask configured, then there will be no change. The required password change option will show as OFF and you won’t be able to turn it on. See the sample screenshot below. 


Helpful links 

Help Center: Set up single sign-on for managed Google Accounts using third-party Identity providers
G Suite Admin SDK documentation for updating user details 

Availability 

Rollout details 


G Suite editions 

  • Available to all G Suite editions 

On/off by default? 

  • The new setting is automatically available depending on whether or not an SSO domain has a network mask configured.

Stay up to date with G Suite launches

Six new third-party applications added to G Suite pre-integrated SAML apps catalog

What’s changing 

We’re adding SAML integration for six additional applications:
  • Comeet
  • CyberArk
  • Drift
  • Qmarkets
  • Qualtrics
  • Swrve
Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

Who’s impacted 

Admins only

Why you’d use it 

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

How to get started 

  • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
  • End users: No action needed.

Additional details 

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

Helpful links 

Help Center: Using SAML to set up federated SSO 
Help Center: Set up your own custom SAML applicationAvailability 

Rollout details 

G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.

Stay up to date with G Suite launches

Five new third-party applications added to G Suite pre-integrated SAML apps catalog

What’s changing 

We’re adding SAML integration for five additional applications:
  • Clear Review 
  • Clubhouse
  • Dialpad Sandbox
  • HubSpot 
  • Workable

Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

Who’s impacted 

Admins only

Why you’d use it 

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

How to get started 

  • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
  • End users: No action needed.

Additional details 

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

Helpful links 

Help Center: Using SAML to set up federated SSO 
Help Center: Set up your own custom SAML applicationAvailability 

Rollout details 

G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.

Stay up to date with G Suite launches

Five new third-party applications added to G Suite pre-integrated SAML apps catalog

What’s changing 

We’re adding SAML integration for five additional applications:
  • Carbonite 
  • ComponentSpace 
  • Emburse 
  • Sentry 
  • Twic 

Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

Who’s impacted 

Admins only

Why you’d use it 

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

How to get started 

  • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
  • End users: No action needed.

Additional details 

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

Helpful links 

Help Center: Using SAML to set up federated SSO 
Help Center: Set up your own custom SAML applicationAvailability 

Rollout details 

G Suite editions 
Available to all G Suite editions.
On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.
Stay up to date with G Suite launches