Context-Aware Access for SAML apps available in beta

What’s changing 

We’re enhancing Context-Aware Access (CAA) with a beta that enables admins to use it to control SAML apps. This gives admins the ability to control access to SAML apps based on the user, the device, and the context they are in when they are trying to access an app.

CAA for SAML apps will work for customers that use Google as the primary identity provider (IdP) to enable access to third party apps from pre-integrated SAML apps or custom SAML apps. It’s available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers only. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.

Who’s impacted 

Admins only

Why you’d use it 

Using Context-Aware Access, you can create granular access control policies to apps based on attributes including the user, location, device security status, and IP address. This can improve your security posture by reducing the chances that there’s unintended access to specific apps and the data in them. Some ways you could use CAA for SAML include:

  • Only allow access to your CRM app when the user is on the corporate network. 
  • Only allow access to a cloud storage app if the user has an up to date operating system and an encrypted device. 
  • Only permit IT admins to access certain tools from a remote location. 
  • Only permit users in a specific country to access certain apps. 

Additional details 

Builds on the CAA for G Suite infrastructure 
Controlling CAA for SAML apps will use the same infrastructure and admin console interface as CAA for G Suite. That means you can use any pre-configured access levels, user groups, and end-user messaging for CAA to SAML. Use our Help Center to find out more about managing context aware access in G Suite.

CAA for SAML only enforced at time of sign-in 
CAA for SAML apps is only enforced at the time of sign-in. This is different from CAA for G Suite applications, which offers a higher level of control. G Suite applications are built by Google and CAA controls are enabled for continuous evaluation of context (IP, device attribute, etc) during use. As SAML apps are non-Google applications using Google sign-in, we’re only able to evaluate context at the point where a user signs into these applications using Google sign-in. After that sign-in, the context is not evaluated again until the session is terminated and users try to sign-in again with Google.

Getting started 

  • Admins: This is an open beta, so the controls will automatically become available to you if you are a G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, or Drive Enterprise customer. 
  • End users: No end-user impact until turned on by the admin. 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers. 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers.