Setting up Chrome Devices to sign-in using an established Single Sign-On (SSO) platform is often desired by schools that are leveraging SSO to simplify user management. Whether wanting to audit sign-in activities through Active Directory Federated Services (ADFS) or using badges for younger students, SSO offers an alternative to the standard Google sign-in experience which is native to Chromebooks.
First, we need to set up an SSO for Google Workspace. This is done in the Security > Set up sign-on (SSO) with a third party. An example of the setup page can be found below. If you were to check the box with the “Set up SSO with third-party identity provider”, this would be live for all users as they attempt to sign into Google Workspace.
Configuring a network mask will limit the impact of the SSO setting to only enforce this setting on users when their public IP address is in a given range. This is often used for troubleshooting/testing to ensure that the SSO connection is configured properly before forcing it to all users:
For ChromeOS to work with SAML, the following USER settings should be configured for users which you want to use SSO when they are on a Chrome Device. This setting is found at the Devices > Chrome > Settings > User & Browser settings page in the Admin console.
The “Single sign-on” setting above will override the Network Mask option from the SAML setup page. This is also a “clever hack” used by Identity providers that want to allow the use of QR Codes for user-based sign-in on Chrome Devices. This way, if you configure the network mask to only authenticate via SAML when users are on a network like 18.104.22.168 (Cloudflare’s public DNS – a network your users will never be on), you can have only Chromebook users utilize SAML. You can additionally configure SAML Cookies to be required to refresh on a regular basis with nearby settings for Users.
Lastly, the behavior of SSO Cookies being passed into the user session is a DEVICE setting. In general, you can think of anything that is configured at the Sign-in screen as a Device Setting, and anything that is configured after the user authentication as a User Setting. This is the setting that will give the desired behavior originally stated: “passing SAML tokens on to Google Workspace, Office 365, Zoom, Canvas, and Teams”.
Additionally, there is a “IdP redirection” option. When this is set to allow users to go directly to the SAML SSO IdP page, once any user has used SAML to sign-in on the device, the boot up sign-in page will be the page configured in the Security > Set up sign-on (SSO) with a third-party page. If it is set to “Take users to the default Google sign-in page” then users will be redirected to the SSO sign-in page only after they enter a username in the Google sign-in page which would require SAML Authentication.
Need help and consultation with setting up SSO in your Google Workspace environment? Amplified IT offers support to schools by way of consultation, performing tasks, creating custom solutions, etc. for schools that have support contracts with us. If you are wanting to know more about our support services or to request a quote, you can email email@example.com.
Technical Support Analyst
About the Author:
Stephen lives in Utah and enjoys the puzzle of investigating users’ problems and finding potential solutions. A recovering/reformed gamer, Stephen throws himself into his passion for staying on top of all things Chrome OS and Chromebook related. Prior to joining Amplified IT, Stephen served as a network admin in a therapeutic boarding school and an IT director, where he implemented Google for Education. Stephen has studied computer science and security at Weber State University, Western Governors University. A self-anointed honor, Stephen likes Chromebooks more than almost anyone else in the world.