Setting up Chrome Devices to sign-in using an established Single Sign-On (SSO) platform is often desired by schools that are leveraging SSO to simplify user management. Whether wanting to audit sign-in activities through Active Directory Federated Services (ADFS) or using badges for younger students, SSO offers an alternative to the standard Google sign-in experience which is native to Chromebooks.
First, we need to set up an SSO for Google Workspace. This is done in the Security > Overview > Set up single sign-on (SSO) with a third party IdP. An example of the setup page can be found below. If you were to check the box with the Set up SSO with third-party identity provider, this would be live for all users as they attempt to sign into Google Workspace.
Configuring a network mask will limit the impact of the SSO setting to only enforce this setting on users when their public IP address is in a given range. This scenario is often used for troubleshooting/testing to ensure that the SSO connection is configured properly before forcing it to all users:
For ChromeOS to work with SAML, the following USER settings should be configured for users which you want to use SSO when they are on a Chrome Device. This setting is here in the Admin console Devices > Chrome > Settings > User & Browser settings.
The Single sign-on setting above will override the Network Mask option from the SAML setup page. This is also a clever hack used by Identity providers that want to allow the use of QR Codes for user-based sign-in on Chrome Devices. This way, if you configure the network mask to only authenticate via SAML when users are on a network like 126.96.36.199 (Cloudflare’s public DNS – a network your users will never be on), you can have only Chromebook users utilize SAML. You can additionally configure SAML Cookies to be required to refresh on a regular basis with nearby settings for Users.
Lastly, the behavior of SSO Cookies being passed into the user session is a DEVICE setting. Devices > Chrome > Settings > Device Settings. In general, you can think of anything configured at the Sign-in screen as a Device Setting, and anything configured after the user authentication as a User Setting. This is the setting that will give the desired behavior originally stated: passing SAML tokens on to Google Workspace, Office 365, Zoom, Canvas, and Teams.
Additionally, there is an IdP redirection option. When this is set to allow users to go directly to the SAML SSO IdP page, once any user has used SAML to sign in on the device, the boot up sign in page will be the page configured in the Security > Overview > Set up single sign-on (SSO) with a third party IdP page. If it is set to Take users to the default Google sign-in page then users will be redirected to the SSO sign-in page only after they enter a username on the Google sign-in page which would require SAML Authentication.
Need help and consultation with setting up SSO in your Google Workspace environment? CDW Amplified for Education offers support to schools by way of consultation, performing tasks, creating custom solutions, etc. for schools that have support contracts with us. If you are wanting to know more about our support services or to request a quote, you can email email@example.com.