Tag Archives: SSO

Deploy and manage Google Credential Provider for Windows via the Admin console

What’s changing 

You can now deploy and manage Google Credential Provider for Windows (GCPW) in the Admin console. Previously, you had to edit registry entries to manage GCPW. The new, organization-specific installation file and setting management in the Admin console makes it easier to deploy and manage GCPW in your organization. 


Who’s impacted 

Admins 


Why you’d use it 

GCPW is an aspect of Enhanced desktop security for Windows that makes using Windows 10 devices with Google Workspace easier and more secure. Once set up, users can: 
  • Sign in to a Microsoft Windows 10 device using their Google Workspace Account. 
  • Take advantage of security protections on Windows 10 devices, including 2-step verification (2SV) and login challenges. 
  • Access Google Workspace and other single sign-on (SSO) apps without the need to re-enter their credentials. 
With this launch, you can configure and manage GCPW in the Admin console instead of in each device’s registry settings. This can make setting up and updating GCPW deployments less manual and time-consuming for if you don’t have standard software deployment tools. 


Additional details 

Device setup and management: To set up GCPW on a new device, download a GCPW installation file customized for your company from the Admin console. After GCPW is installed, you can manage GCPW settings in the Admin console. When a user signs in to a device managed with GCPW, GCPW fetches and applies the settings from in the Admin console. GCPW settings in the Admin console may take up to one hour to be implemented on the device. If you already installed GCPW on a device, you can set a token to manage GCPW from the Admin console

Settings available in the Admin console: You can manage most of the settings in the Admin console that you can in registry settings, including offline access, multiple account management, and more. 

Working with existing registry settings: Admin console settings supersede registry settings. To continue to use registry settings instead of Admin console settings, leave GCPW settings in the Admin console as “not configured.” 



Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers. 

Resources 

Updated Admin console for 2-Step Verification and SSO for SAML controls

Quick launch summary 

We’re making two updates to the Admin console:

New 2-Step Verification (2SV) controls: 
We’re updating the controls you use to configure 2SV in the Admin console. You may notice:

  • A new “2-Step Verification settings” section of the Security page where you can turn 2SV on or off and control other related settings. You can find this at Admin console > Security > 2-Step Verification
  • The ability to turn 2SV enrollment on or off for each organizational unit (OU). Previously you could only turn it on or off for the whole domain. Once it’s turned on, additional 2SV policies can be adjusted. 
  • New interfaces which prevent admins accidentally locking themselves out of an account by enforcing 2SV without being enrolled in 2SV. 
  • An updated and streamlined interface. 
The new 2-Step Verification settings section in the Admin console

In the 2SV section you can configure 2-Step Verification enforcement by OU


New section for single sign-on settings for SAML applications 
We’re making some updates to the settings you use to set up single sign-on for SAML applications. You may notice:

  • The settings that apply to all SAML applications when Google is the Identity Provider (IdP) are now in their own section in Security settings at Admin Console > Security > Set up single sign-on (SSO) for SAML applications
  • The functionality is not changing but you will find a more streamlined experience for managing certificates and to download IdP metadata. 
The new SSO for SAML settings section in the Admin console

 The new SSO for SAML area where you can control related settings

Getting started 



  • Admins: The new per-OU 2SV enrollment feature will be set to ON at the organization level (root OU) if and only if you had allowed 2SV enrollment for your organization prior to this launch, so that there is no change in behavior for your organization. After the launch, you can now change 2SV enrollment at an OU level. You can also use exception groups for 2SV enrollment settings, similar to how 2SV enforcement settings support them. Visit the Help Center to learn more about how to deploy 2-Step Verification for your organization.
  • End users: There is no end user impact for the feature. 

Rollout pace 



Availability 


  • Available to all G Suite and Cloud Identity customers 

Resources 


Enhanced security for Windows 10 devices now generally available

Quick launch summary 

You can now manage and secure Windows 10 devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices. This also means you can enable SSO so users can more easily access G Suite and other SSO-enabled applications on Windows 10 devices. This was previously available in beta.

Now, all G Suite admins can now use Google Credential Provider for Windows to:

  • Enable their organization to use existing G Suite account credentials to login to Windows 10 devices, and easily access apps and services with SSO. 
  • Protect user accounts with Google’s anti-hijacking and suspicious login detection technologies. 

Additionally, G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers can now also:

  • Ensure that all Windows 10 devices used to access G Suite are updated, secure, and within compliance of organizational policies. 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without connecting to corp network. 

This can help simplify device management, help to increase data security, and reduce the hurdles and logins users need to access applications and get work done. See our previous announcement for more details on the Windows 10 management features and benefits.

See our Help Center to learn more about enhanced desktop security for Windows. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.


Getting started 




Admin controls available for Windows 10 devices 

Rollout pace 



Availability 

Login and SSO features associated with Google Credential Provider for Windows:

  • Available to all G Suite and Cloud Identity customers 


Device management for Windows 10 devices:

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 


Context-Aware Access for SAML apps available in beta

What’s changing 

We’re enhancing Context-Aware Access (CAA) with a beta that enables admins to use it to control SAML apps. This gives admins the ability to control access to SAML apps based on the user, the device, and the context they are in when they are trying to access an app.

CAA for SAML apps will work for customers that use Google as the primary identity provider (IdP) to enable access to third party apps from pre-integrated SAML apps or custom SAML apps. It’s available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers only. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.

Who’s impacted 

Admins only

Why you’d use it 

Using Context-Aware Access, you can create granular access control policies to apps based on attributes including the user, location, device security status, and IP address. This can improve your security posture by reducing the chances that there’s unintended access to specific apps and the data in them. Some ways you could use CAA for SAML include:

  • Only allow access to your CRM app when the user is on the corporate network. 
  • Only allow access to a cloud storage app if the user has an up to date operating system and an encrypted device. 
  • Only permit IT admins to access certain tools from a remote location. 
  • Only permit users in a specific country to access certain apps. 


Additional details 


Builds on the CAA for G Suite infrastructure 
Controlling CAA for SAML apps will use the same infrastructure and admin console interface as CAA for G Suite. That means you can use any pre-configured access levels, user groups, and end-user messaging for CAA to SAML. Use our Help Center to find out more about managing context aware access in G Suite.

CAA for SAML only enforced at time of sign-in 
CAA for SAML apps is only enforced at the time of sign-in. This is different from CAA for G Suite applications, which offers a higher level of control. G Suite applications are built by Google and CAA controls are enabled for continuous evaluation of context (IP, device attribute, etc) during use. As SAML apps are non-Google applications using Google sign-in, we’re only able to evaluate context at the point where a user signs into these applications using Google sign-in. After that sign-in, the context is not evaluated again until the session is terminated and users try to sign-in again with Google.

Getting started 


  • Admins: This is an open beta, so the controls will automatically become available to you if you are a G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, or Drive Enterprise customer. 
  • End users: No end-user impact until turned on by the admin. 

Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers. 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers. 

Resources 


Grant SAML app access to specific groups

Quick launch summary 

You can now enable SAML apps for specific groups of users in your organization. You could previously only enable them by organizational unit (OU). This provides extra flexibility, as you can now turn apps on or off for sets of users without changing your organizational structure.

SAML apps enable users to access enterprise cloud applications after signing in just once through Single-Sign-On (SSO). You can easily enable SAML with many pre-integrated applications in our third-party apps catalog, or you can set up custom SAML applications.

Use our Help Center to find out how to configure SAML applications.

Getting started 


  • Admins: This feature will be available by default and can be controlled at the group level. Visit the Help Center to learn more about how to configure SAML apps for G Suite
  • End users: There is no end-user setting for this feature. 

Control SAML apps by groups 

Rollout pace 


Availability 



  • Available to all G Suite customers

SSO + network mask domains can now force Google password reset on next login

What’s changing 

We’re providing more control over user password policies for some customers using third-party identity providers (IdPs) via SAML. Previously, these customers could not enforce the “Require password change” setting for their users. Now, SSO customers who have a network mask defined can turn on this setting and force their users to change their Google password the next time they log in using their G Suite or Cloud Identity credentials.

Who’s impacted 

Admins only

Why you’d use it 

For many customers who use third-party IdPs via SAML, preventing “Require password change” is the desired behavior. Their users only need to know their credentials for their IdP so forcing them to change their Google password is not meaningful.

However, some G Suite admins in domains with a third-party IdP use a network mask to allow some of their users to log in using their G Suite or Cloud Identity credentials. In such deployments, there may be users who sign in using their G Suite credentials. For these users, admins may want to generate a temporary password and then have the user change it on the next login. This update will help admins of domains that use SSO and a network mask to do this.

How to get started 


  • Admins: This update will only impact domains with a SAML IdP configured for SSO and a network mask. To check if you have a network mask, go to Admin console > Security > Network masks and see if there’s information defined. 




  • Admins at domains with SAML IdP configured for SSO and a network mask can turn on the setting in the Admin console (“Require password change”) or via the Admin SDK (“Do Force password change on Next Login”). Once turned on, it will be enforced for that user’s next login. See the sample screenshot below. 




  • If your domain has SSO but does not have a network mask configured, then there will be no change. The required password change option will show as OFF and you won’t be able to turn it on. See the sample screenshot below. 


Helpful links 

Help Center: Set up single sign-on for managed Google Accounts using third-party Identity providers
G Suite Admin SDK documentation for updating user details 

Availability 

Rollout details 


G Suite editions 

  • Available to all G Suite editions 

On/off by default? 

  • The new setting is automatically available depending on whether or not an SSO domain has a network mask configured.

Stay up to date with G Suite launches

Five new third-party applications added to G Suite pre-integrated SAML apps catalog

What’s changing 

We’re adding SAML integration for five additional applications:
  • Carbonite 
  • ComponentSpace 
  • Emburse 
  • Sentry 
  • Twic 

Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

Who’s impacted 

Admins only

Why you’d use it 

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

How to get started 

  • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
  • End users: No action needed.

Additional details 

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

Helpful links 

Help Center: Using SAML to set up federated SSO 
Help Center: Set up your own custom SAML applicationAvailability 

Rollout details 

G Suite editions 
Available to all G Suite editions.
On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.
Stay up to date with G Suite launches

Ten third-party applications added to the G Suite pre-integrated SAML apps catalog

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are many applications with pre-integrated SSO support in our third-party apps catalog already.

We’re now adding SAML integration for ten additional applications:
  • Automox   
  • Boomi
  • GoodData    
  • LinkedIn Learning   
  • LiquidFiles    
  • Proxyclick  
  • Sigma Computing
  • TextExpander  
  • VersionOne 
  • Zimbra


You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. You can learn more about installing Custom SAML Applications in this Help Center article.

Launch Details 
Release track
Launching to both Rapid Release and Scheduled Release

Editions: 
Available to all G Suite editions

Rollout pace: 
Gradual rollout (up to 15 days for feature visibility)

Impact: 
Admins only

Action: 
Admin action suggested/FYI

More Information 
Help Center: Using SAML to set up federated SSO


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Nine third-party applications added to the G Suite pre-integrated SAML apps catalog

With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are many applications with pre-integrated SSO support in our third-party apps catalog already.

We’re now adding SAML integration for nine additional applications:

  • CloudBees 
  • Coralogix 
  • iMeet 
  • Central 
  • monday 
  • Oomnitza 
  • OfficeSpace 
  • Spoke 
  • Stella Connect 
  • Wdesk 


You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.

Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. You can learn more about installing Custom SAML Applications in this Help Center article.

Launch Details 
Release track: 
Launching to both Rapid Release and Scheduled Release

Editions: 
Available to all G Suite editions

Rollout pace: 
Gradual rollout (up to 15 days for feature visibility)

Impact: 
Admins only Action: Admin action suggested/FYI

More Information 
Help Center: Using SAML to set up federated SSO


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Twelve third-party applications added to the G Suite pre-integrated SAML apps catalog

With Single Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just once. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are many applications with pre-integrated SSO support in our third-party apps catalog already.

Building on other recent launches (February 27th, March 12th, March 29th), we’re adding SAML integration for 12 additional applications:
  • Black Duck 
  • Brightcove
  • Chartio
  • Duo
  • Hootsuite
  • Jenkins
  • Jostle
  • Mango Apps 
  • SumTotal 
  • TextMagic 
  • Veracode 
  • Zinc 



Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. You can learn more about installing Custom SAML Applications in this Help Center article.

Launch Details 
Release track:
Launching to both Rapid Release and Scheduled Release

Editions: 
Available to all G Suite editions 

Rollout pace: 
Gradual rollout (up to 15 days for feature visibility)

Impact: 
Admins only

Action: 
Admin action suggested/FYI

More Information
Help Center: Using SAML to set up federated SSO 


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates