Session length controls for domains using SAML

In March, we introduced a setting that allows G Suite Business, Enterprise, and Education admins to specify the duration of web sessions for Google services (e.g. four hours, seven days, or infinite). At the time, this setting only applied to domains where Google was responsible for the login (i.e. where Google was the Identity Provider). We’re now extending the reach of this setting and making it applicable in domains that federate to another Identity Provider (IdP) using SAML.

Note that these settings apply to all desktop web sessions, as well as some mobile browser sessions. Native mobile apps, like Gmail for Android and iOS, aren’t impacted by these settings.

Removing session-based cookies on May 7th, 2018

In the past, in order to give more control over session lengths to a G Suite customer’s preferred IdP, we set cookies for sessions created by federating to another IdP via SAML as transient, or session-based. These cookies were intended to expire whenever the browser was closed, meaning the user would be redirected to their primary IdP whenever they reopened the browser and visited a Google site.

Over time, however, this behavior has become increasingly inconsistent across browsers. We believe that G Suite admins are better served by explicit session length controls, like the ones we just launched. Unlike session cookies, these controls are respected regardless of the user’s browser.

With this in mind, we’ll be removing session-based cookies for G Suite customers who federate to another IdP via SAML on May 7th, 2018. Please consider setting a custom session length for your organization if your workflows depend on it.

Replicating previous behavior

If it’s critical to replicate the previous behavior, where all sessions expired when a browser was closed, you can change the browser settings on impacted machines to delete all Google cookies when the browser is exited. Instructions to configure this on Chrome can be found here. To deploy this policy on multiple machines, use Chrome policies to configure session-only cookies for [*.]

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Available to G Suite Business, Enterprise, and Education editions only

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Admins only

Admin action suggested/FYI

More Information
Help Center: Set up session length for Google services

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates