Tag Archives: SSO

Google Workspace Updates Weekly Recap – July 30, 2021

New updates

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers.


Delegate Information is now available in Gmail Log Search
Email log search now indicates when an email was sent on behalf of the user by a delegate. In cases where a delegate sent the email, the delegate will be listed, along with the sender, in message details in email log search. Delegate information will only be available on emails sent after this change rolls out. | Available to all Google Workspace with Gmail enabled. | Learn more.


New font in Workspace improves accessibility for vision impaired
Now there's a new font in Workspace optimized for vision impaired users.  When you create or want to read a document, set the font to Atkinson Hyperlegible for improved legibility.


Previous announcements 

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Improvements for braille mode in Google Docs provide a richer, more interactive experience
We've improved how suggestions are announced in braille mode in Google Docs. You’ll now hear detailed suggestion information inline with the rest of the text — this includes whether the suggestion is an insertion or deletion, and the author of the suggestion. | Learn more.



Disabling File Transfer in Google Chat
Admins can now disable or limit file sharing for their users in Chat. Specifically, admins
will be able to specify controls within and outside their organization, and will be able to choose between restricting all files, allowing images only, or allowing all files. | Available to Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Plus, Enterprise Essentials | Learn more.



Alert Center enrichment with VirusTotal threat context now generally available
Earlier this year, we pre-announced an integration between the Alert Center and VirusTotal. Currently, the Google Workspace Alert Center provides admins with actionable, real-time alerts and insights regarding security-related activity in their domain. With the VirusTotal (now part of Google Cloud) integration, admins have the ability to dig into their alerts at a deeper level. | Available to Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals and Education Plus customers. | Learn More.



Use dynamic security groups for group based policies
Google Workspace admins can now use dynamic groups to manage policies for their users in the Admin console. Previously, it was only possible to apply these policies to static groups and OUs. | Available to Google Workspace Enterprise Plus, Education Plus, and Cloud Identity Premium customers. | Learn more.



Workspace for Education Plus now syncs Google Classroom courses and rosters with Student Information Systems
U.S. school districts with Google Workspace for Education Plus will be able to automatically set up Google Classroom courses and keep rosters in sync with their Student Information System (SIS). IT admins will do the setup via Clever, meaning teachers will no longer need to manually create classes and invite students to join them. | Learn More.



Enhancements to Google Voice
We’ve made several enhancements to Google Voice, including information and troubleshooting tips for missed calls, the ability to easily redial dropped calls, the ability to delete SMS messages in bulk, and an option to show your Google Voice number as the caller ID when forwarding calls. | Learn more.



Search within a folder in Google Drive on iOS
You can now search for content inside a specific folder in Google Drive on iOS. Simply navigate to the folder you want to search within and select the search bar — you’ll see a list of suggested folders, documents, and users to refine your search results. Select the folder chip before typing your search query. | Learn more.



Assign SSO profile to organizational units or groups with the new SAML Partial SSO beta
Currently, you can configure to authenticate your users using a third-party identity provider — this configuration applies to all users within your domain. Now, you have the option to specify groups or organizational units (OUs) to authenticate a subset of your users using Google. This feature is available as an open beta. | Learn more.



New enrollment privilege and naming updates for Google Meet hardware in the Admin console
We are making two improvements to the admin controls for Google Meet hardware: a new enrollment privilege admins and updates for hardware management in the Admin console. | Learn more.



Use the new Google Meet web app for better meetings on desktop devices
We’ve launched a new Google Meet standalone web app. This Progressive Web Application (PWA) has all the same features as Google Meet on the web, but as a standalone app it’s easier to find and use, and it streamlines your workflow by eliminating the need to switch between tabs. | Learn more.


For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Assign SSO profile to organizational units or groups with the new SAML Partial SSO beta

What’s changing 

Currently, you can configure to authenticate your users using a third-party identity provider — this configuration applies to all users within your domain. Now, you have the option to specify groups or organizational units (OUs) to authenticate a subset of your users using Google. This feature is available beginning today as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins 


Why you’d use it 

Currently, when you configure SSO with a third-party identity provider, the setting applies to your entire domain. However, there are some instances where you may want a subset of your users, such as vendors or contractors, to authenticate with Google instead. The Partial SSO beta gives you the flexibility to specify the authentication method for various users in your organization as needed.



Getting started

Image description: Within the Admin console, navigate to Security > Settings > Set up single sign-on (SSO) with a third party iDP > Manage SSO Profile assignments to specify a specific OU or Group who should identify using Google.

Rollout pace



Availability

  • Available to all Google Workspace and Cloud Identity customers


Resources


Enhanced desktop security for Windows is now available for Google Workspace Business Plus customers

Quick launch summary

Google Workspace Business Plus customers can now manage and secure Windows devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices. Now, Business Plus Admins can:

  • Set Windows policies in the admin console which will ensure that all Windows 10 devices used to access Workspace are updated, secure, and within compliance of organizational policies. 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without connecting to corp network.

See our previous announcement for more details on the Windows 10 management features and benefits and the Help Center to learn more about enhanced desktop security for Windows.

Getting started 


Rollout pace

  • This feature is available now.


Resources


Deploy and manage Google Credential Provider for Windows via the Admin console

What’s changing 

You can now deploy and manage Google Credential Provider for Windows (GCPW) in the Admin console. Previously, you had to edit registry entries to manage GCPW. The new, organization-specific installation file and setting management in the Admin console makes it easier to deploy and manage GCPW in your organization. 


Who’s impacted 

Admins 


Why you’d use it 

GCPW is an aspect of Enhanced desktop security for Windows that makes using Windows 10 devices with Google Workspace easier and more secure. Once set up, users can: 
  • Sign in to a Microsoft Windows 10 device using their Google Workspace Account. 
  • Take advantage of security protections on Windows 10 devices, including 2-step verification (2SV) and login challenges. 
  • Access Google Workspace and other single sign-on (SSO) apps without the need to re-enter their credentials. 
With this launch, you can configure and manage GCPW in the Admin console instead of in each device’s registry settings. This can make setting up and updating GCPW deployments less manual and time-consuming for if you don’t have standard software deployment tools. 


Additional details 

Device setup and management: To set up GCPW on a new device, download a GCPW installation file customized for your company from the Admin console. After GCPW is installed, you can manage GCPW settings in the Admin console. When a user signs in to a device managed with GCPW, GCPW fetches and applies the settings from in the Admin console. GCPW settings in the Admin console may take up to one hour to be implemented on the device. If you already installed GCPW on a device, you can set a token to manage GCPW from the Admin console

Settings available in the Admin console: You can manage most of the settings in the Admin console that you can in registry settings, including offline access, multiple account management, and more. 

Working with existing registry settings: Admin console settings supersede registry settings. To continue to use registry settings instead of Admin console settings, leave GCPW settings in the Admin console as “not configured.” 



Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers. 

Resources 

Updated Admin console for 2-Step Verification and SSO for SAML controls

Quick launch summary 

We’re making two updates to the Admin console:

New 2-Step Verification (2SV) controls: 
We’re updating the controls you use to configure 2SV in the Admin console. You may notice:

  • A new “2-Step Verification settings” section of the Security page where you can turn 2SV on or off and control other related settings. You can find this at Admin console > Security > 2-Step Verification
  • The ability to turn 2SV enrollment on or off for each organizational unit (OU). Previously you could only turn it on or off for the whole domain. Once it’s turned on, additional 2SV policies can be adjusted. 
  • New interfaces which prevent admins accidentally locking themselves out of an account by enforcing 2SV without being enrolled in 2SV. 
  • An updated and streamlined interface. 
The new 2-Step Verification settings section in the Admin console

In the 2SV section you can configure 2-Step Verification enforcement by OU


New section for single sign-on settings for SAML applications 
We’re making some updates to the settings you use to set up single sign-on for SAML applications. You may notice:

  • The settings that apply to all SAML applications when Google is the Identity Provider (IdP) are now in their own section in Security settings at Admin Console > Security > Set up single sign-on (SSO) for SAML applications
  • The functionality is not changing but you will find a more streamlined experience for managing certificates and to download IdP metadata. 
The new SSO for SAML settings section in the Admin console

 The new SSO for SAML area where you can control related settings

Getting started 



  • Admins: The new per-OU 2SV enrollment feature will be set to ON at the organization level (root OU) if and only if you had allowed 2SV enrollment for your organization prior to this launch, so that there is no change in behavior for your organization. After the launch, you can now change 2SV enrollment at an OU level. You can also use exception groups for 2SV enrollment settings, similar to how 2SV enforcement settings support them. Visit the Help Center to learn more about how to deploy 2-Step Verification for your organization.
  • End users: There is no end user impact for the feature. 

Rollout pace 



Availability 


  • Available to all G Suite and Cloud Identity customers 

Resources 


Enhanced security for Windows 10 devices now generally available

Quick launch summary 

You can now manage and secure Windows 10 devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices. This also means you can enable SSO so users can more easily access G Suite and other SSO-enabled applications on Windows 10 devices. This was previously available in beta.

Now, all G Suite admins can now use Google Credential Provider for Windows to:

  • Enable their organization to use existing G Suite account credentials to login to Windows 10 devices, and easily access apps and services with SSO. 
  • Protect user accounts with Google’s anti-hijacking and suspicious login detection technologies. 

Additionally, G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers can now also:

  • Ensure that all Windows 10 devices used to access G Suite are updated, secure, and within compliance of organizational policies. 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without connecting to corp network. 

This can help simplify device management, help to increase data security, and reduce the hurdles and logins users need to access applications and get work done. See our previous announcement for more details on the Windows 10 management features and benefits.

See our Help Center to learn more about enhanced desktop security for Windows. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.


Getting started 




Admin controls available for Windows 10 devices 

Rollout pace 



Availability 

Login and SSO features associated with Google Credential Provider for Windows:

  • Available to all G Suite and Cloud Identity customers 


Device management for Windows 10 devices:

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 


Context-Aware Access for SAML apps available in beta

What’s changing 

We’re enhancing Context-Aware Access (CAA) with a beta that enables admins to use it to control SAML apps. This gives admins the ability to control access to SAML apps based on the user, the device, and the context they are in when they are trying to access an app.

CAA for SAML apps will work for customers that use Google as the primary identity provider (IdP) to enable access to third party apps from pre-integrated SAML apps or custom SAML apps. It’s available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers only. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.

Who’s impacted 

Admins only

Why you’d use it 

Using Context-Aware Access, you can create granular access control policies to apps based on attributes including the user, location, device security status, and IP address. This can improve your security posture by reducing the chances that there’s unintended access to specific apps and the data in them. Some ways you could use CAA for SAML include:

  • Only allow access to your CRM app when the user is on the corporate network. 
  • Only allow access to a cloud storage app if the user has an up to date operating system and an encrypted device. 
  • Only permit IT admins to access certain tools from a remote location. 
  • Only permit users in a specific country to access certain apps. 


Additional details 


Builds on the CAA for G Suite infrastructure 
Controlling CAA for SAML apps will use the same infrastructure and admin console interface as CAA for G Suite. That means you can use any pre-configured access levels, user groups, and end-user messaging for CAA to SAML. Use our Help Center to find out more about managing context aware access in G Suite.

CAA for SAML only enforced at time of sign-in 
CAA for SAML apps is only enforced at the time of sign-in. This is different from CAA for G Suite applications, which offers a higher level of control. G Suite applications are built by Google and CAA controls are enabled for continuous evaluation of context (IP, device attribute, etc) during use. As SAML apps are non-Google applications using Google sign-in, we’re only able to evaluate context at the point where a user signs into these applications using Google sign-in. After that sign-in, the context is not evaluated again until the session is terminated and users try to sign-in again with Google.

Getting started 


  • Admins: This is an open beta, so the controls will automatically become available to you if you are a G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, or Drive Enterprise customer. 
  • End users: No end-user impact until turned on by the admin. 

Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers. 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers. 

Resources 


Grant SAML app access to specific groups

Quick launch summary 

You can now enable SAML apps for specific groups of users in your organization. You could previously only enable them by organizational unit (OU). This provides extra flexibility, as you can now turn apps on or off for sets of users without changing your organizational structure.

SAML apps enable users to access enterprise cloud applications after signing in just once through Single-Sign-On (SSO). You can easily enable SAML with many pre-integrated applications in our third-party apps catalog, or you can set up custom SAML applications.

Use our Help Center to find out how to configure SAML applications.

Getting started 


  • Admins: This feature will be available by default and can be controlled at the group level. Visit the Help Center to learn more about how to configure SAML apps for G Suite
  • End users: There is no end-user setting for this feature. 

Control SAML apps by groups 

Rollout pace 


Availability 



  • Available to all G Suite customers

SSO + network mask domains can now force Google password reset on next login

What’s changing 

We’re providing more control over user password policies for some customers using third-party identity providers (IdPs) via SAML. Previously, these customers could not enforce the “Require password change” setting for their users. Now, SSO customers who have a network mask defined can turn on this setting and force their users to change their Google password the next time they log in using their G Suite or Cloud Identity credentials.

Who’s impacted 

Admins only

Why you’d use it 

For many customers who use third-party IdPs via SAML, preventing “Require password change” is the desired behavior. Their users only need to know their credentials for their IdP so forcing them to change their Google password is not meaningful.

However, some G Suite admins in domains with a third-party IdP use a network mask to allow some of their users to log in using their G Suite or Cloud Identity credentials. In such deployments, there may be users who sign in using their G Suite credentials. For these users, admins may want to generate a temporary password and then have the user change it on the next login. This update will help admins of domains that use SSO and a network mask to do this.

How to get started 


  • Admins: This update will only impact domains with a SAML IdP configured for SSO and a network mask. To check if you have a network mask, go to Admin console > Security > Network masks and see if there’s information defined. 




  • Admins at domains with SAML IdP configured for SSO and a network mask can turn on the setting in the Admin console (“Require password change”) or via the Admin SDK (“Do Force password change on Next Login”). Once turned on, it will be enforced for that user’s next login. See the sample screenshot below. 




  • If your domain has SSO but does not have a network mask configured, then there will be no change. The required password change option will show as OFF and you won’t be able to turn it on. See the sample screenshot below. 


Helpful links 

Help Center: Set up single sign-on for managed Google Accounts using third-party Identity providers
G Suite Admin SDK documentation for updating user details 

Availability 

Rollout details 


G Suite editions 

  • Available to all G Suite editions 

On/off by default? 

  • The new setting is automatically available depending on whether or not an SSO domain has a network mask configured.

Stay up to date with G Suite launches

Five new third-party applications added to G Suite pre-integrated SAML apps catalog

What’s changing 

We’re adding SAML integration for five additional applications:
  • Carbonite 
  • ComponentSpace 
  • Emburse 
  • Sentry 
  • Twic 

Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

Who’s impacted 

Admins only

Why you’d use it 

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

How to get started 

  • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
  • End users: No action needed.

Additional details 

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

Helpful links 

Help Center: Using SAML to set up federated SSO 
Help Center: Set up your own custom SAML applicationAvailability 

Rollout details 

G Suite editions 
Available to all G Suite editions.
On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.
Stay up to date with G Suite launches