Optimizing Single Sign-On (SSO) on Chromebooks

Single Sign-On (SSO) is a valuable tool for schools seeking to streamline user management and enhance Chromebook security. By implementing SSO, schools can simplify the login process for students and staff, integrate with existing identity management systems like Active Directory Federated Services (ADFS), and even utilize badges for younger students. This article will guide you through the best practices for setting up and optimizing SSO on Chrome devices, ensuring a seamless and secure login experience.

Setting Up SSO for Google Workspace

To begin, you’ll need to configure SSO within Google Workspace. This step allows your organization to centralize user authentication, providing a consistent login experience across devices and applications. The setup process may vary depending on your identity provider, so ensure you follow their specific integration steps.

  • From the Admin Console: Navigate to Security > Overview > Set up single sign-on (SSO) with a third-party IdP. Hover over SSO profile for your organization then click Edit. You can enable SSO for your entire organization by checking the SSO profile for your organization checkbox. Once enabled, all users will be directed to the SSO provider’s sign-in page when logging into Google Workspace.
    optimizeSSO1.png

Configuring Network Mask for SSO

A crucial aspect of SSO configuration is limiting its application to specific network environments using a network mask. This setting ensures SSO enforcement only occurs when users connect to a network within a designated IP range. This practice is beneficial for testing and troubleshooting the SSO setup before rolling it out organization-wide.

  • From the Admin Console: Navigate to Security > Overview > Set up single sign-on (SSO) with a third-party IdP. Hover over SSO profile for your organization then click Edit. Enter the mask in the Network masks field. By defining the network mask carefully, you can control when and where SSO is required, allowing for more flexible and secure deployments.
    SSONetworkMask.png

User Settings for SAML Integration

Specific user settings must be configured for Chromebooks to function correctly with SAML-based SSO. These settings ensure SSO enforcement on Chrome devices and that SAML tokens are passed seamlessly between the device and various applications.

    • From the Admin Console: Navigate to Devices > Chrome > Settings > User & Browser settings. Scroll to the Security section and click on Single sign-on. Set the SAML-based single sign-on for ChromeOS devices to Disable.
      SSODisableSAML.png

      Note: The Single Sign-On setting in this section will override any network mask configurations made earlier. This flexibility is essential for schools that want to implement unique login methods, such as using QR codes for younger students.

Managing SSO Cookies and Device Settings

The behavior of SSO cookies, which are crucial for maintaining user sessions, is managed through device settings. These settings determine how SAML tokens get passed from the Chrome device to applications like Google Workspace, Office 365, Zoom, Canvas, and Teams.

  • From the Admin Console: Navigate to Devices > Chrome > Settings > User & Browser settings. Scroll to the Sign-in settings section and click on Single sign-on cookie behavior. Configure the setting to Disable transfer of SAML SSO Cookies into user session during sign-in. 
    SSOCookieBehavior.png

Understanding the distinction between user settings and device settings is key to ensuring that SSO functions as intended across different scenarios. Device settings typically control what happens at the sign-in screen, while user settings apply after authentication.

IdP Redirection Options

Finally, consider configuring IdP redirection to customize the login flow further. When this option is enabled, users will be taken directly to the SSO IdP page on boot-up if a previous user signed in using SAML. Alternatively, you can set it so that users are redirected to the SSO page only after entering their username on the Google sign-in page.

This flexibility allows schools to tailor the login experience based on their specific needs, ensuring that SSO is both secure and user-friendly.

  • From the Admin Console: Navigate to Devices > Chrome > Settings > User & Browser settings. Scroll to the Sign-in settings section and click on Single sign-on IdP redirection. Configure the Redirect users to SAML SSO IdP setting to Take users to the default Google sign-in screen.
    SSORedirection.png

Need Help with SSO Setup?

If you require assistance setting up SSO in your Google Workspace environment, our support team is here to help. We offer services to help your team, from initial setup to ongoing support, ensuring your SSO implementation is smooth and effective.

 

The best way to reach support is to enter a support ticket through the Help Center. Here's the direct Submit a ticket link, which is available at the top of every Help Center page. You can also connect with our support team by emailing support@amplifiedit.cdw.com
If you want to obtain a support contract or have questions, reach out to a Google Customer Support Specialist
Learn more about the various ways we can help your team.

 

Document Version Date Description of Change
1.0 3/18/2024 Updated support link away from AIT legacy site
1.1 8/20/2024 Added support contact content block
1.2 8/23/2024 Rewrote, reverify

 

Articles in this section

See more