Security Assertion Markup Language (SAML) single sign-on (SSO) support for ChromeOS devices allows users to sign in to a device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). Signing in is very similar to signing in to a Google Workspace account from a browser via SAML SSO. However, because a user is signing in to a device, there are several additional considerations.
Requirements
- ChromeOS device running version 36 or higher
- Domain configured for SAML SSO for Google Workspace
- SAML URL using HTTPS not HTTP
- ChromeOS licenses for your devices
To learn about validated enterprise identity providers that meet all ChromeOS requirements, see our Chrome Enterprise Recommended program.
Step 1: Set up SSO
If you haven’t already, set up single sign-on for managed Google Accounts using third-party Identity providers.
Step 2: Test SSO
Set up and test SAML SSO on a test domain you own. If you don’t have a test domain, test SAML SSO with a small number of users by creating a test group and enabling SSO for users only in that group. After testing SAML SSO with a small number of users, roll it out to approximately 5% of your users.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
- To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Security.
- Click Single sign-on.
- Select Enable SAML-based single sign-on for Chrome devices.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
(Optional) Step 3: Enable SAML SSO cookies
To allow single sign-on users to log in to internal websites and cloud services that rely on the same IdP on subsequent sign-ins to their device, you can enable SAML SSO cookies.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Sign-in settings.
- Click Single sign-on cookie behavior.
- Select Enable transfer of SAML SSO cookies into user session during sign-in. For more details, see Set ChromeOS device policies.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
(Optional) Step 4: Keep local ChromeOS and SAML SSO passwords in sync
You can choose to sync ChromeOS device local passwords with users' SAML SSO passwords.
By default, the local password is updated every time users sign in online. You can configure how often users are required to sign in online using the SAML single sign-on login frequency or SAML single sign-on unlock frequency settings. However, some users might change their SAML SSO password before they’re required to sign in online again. If that happens, users continue to use their old local ChromeOS password until the next time they sign in online.
To keep the local ChromeOS password in sync with their SAML SSO password, you can force them to sign in online as soon as their SAML SSO password changes. That way, they update their ChromeOS password almost immediately.
- To notify Google of user password changes, you can use any of the following;
- IdP integration—For example, if you use Okta, you can use Okta workflows. For details, see GitHub documentation.
-
Microsoft Entra ID integration—Change Password Notifier (CPN for Microsoft Entra ID) notifies Google of Microsoft Entra ID password changes. For details, see Sync ChromeOS passwords using Change Password Notifier for Microsoft Entra ID.
- AD integration—Change Password Notifier for Active Directory (CPN for AD) notifies Google of Microsoft AD password changes. For details, see Sync ChromeOS passwords using Change Password Notifier for Active Directory.
- API integration—Integrate your IdP with the device token API. You can get the Chromedevice token API here. For details, see Enable API suite for cloud project.
- Configure the relevant settings;
- SAML single sign-on password synchronization flows—Choose whether you want to enforce online sign-ins for the login screen only, or for both the login and lock screen. For details, see Set Chrome policies for users or browsers.
- SAML single sign-on password synchronization—Select Trigger authentication flows to synchronize passwords with SSO providers. For details, see Set Chrome policies for users or browsers.
(Optional) Step 5: Notify your users of upcoming password changes
You can ensure that users are informed of upcoming password changes on their ChromeOS devices.
Currently, password expiration notifications are not supported for Microsoft Entra ID.
Note: We recommend that you do either Step 4: Keep local ChromeOS and SAML SSO passwords in sync or Step 5 Notify your users of upcoming password changes, not both.
To inform users about upcoming password changes;
- Using the Google Admin Console, set up single sign-on for managed Google Accounts using third-party Identity providers.
- Configure SAML assertion for password expiry for your SAML SSO provider. See the example below.
- Using the Admin console, configure the settings.
- SAML single sign-on login frequency—Enter a value that is smaller than the password expiration time. ChromeOS only updates its assertions during online logins. For details, see Set Chrome policies for users or browsers.
- SAML single sign-on password synchronization—Select Trigger authentication flows to synchronize passwords with SSO providers. Specify how many days in advance users should be notified. You can enter a value between 0 and 90 days. Left blank, the default value of 0 is used and users are not notified in advance, only when their password expires. For details, see Set Chrome policies for users or browsers.
Example AttributeStatement
In the example;
- Attribute name contains passwordexpirationtimestamp—The timestamp when the authenticating user's password will expire. Can be empty if the password will not expire, can be in the past if already expired. If you prefer, you can use passwordmodifiedtimestamp instead.
- Attribute value is NTFS filetime—The number of 100ns ticks since 1st of January 1601 UTC. If you prefer, you can set Unix time or ISO 8601 date and time instead. No other formats are accepted.
<AttributeStatement>
<Attribute
Name="http://schemas.google.com/saml/2019/passwordexpirationtimestamp">
<AttributeValue>132253026634083525</AttributeValue>
</Attribute>
</AttributeStatement>
(Optional) Step 6: Enable SAML SSO IdP Redirection
To allow single sign-on users to navigate directly to your SAML IdP page instead of first having to type in their email address, you can enable SAML SSO IdP Redirection.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Sign-in settings.
- Click Single sign-on IdP redirection.
- Select Allow users to go directly to SAML SSO IdP page. For more details, see Set ChromeOS device policies.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
(Optional) Step 7: Username passthrough
You can automatically pass usernames from Google Identity to the 3P IdP to avoid users having to type their username twice.
Before you begin
- This feature is only available to IdPs that allow username handover as part of the SAML query. For details, see Autofill username on SAML IdP login page.
- If you always redirect users to the third-party identity provider (3P IdP) by completing step 7, username passthrough is limited to reauthentication flows. For details, see the SAML single sign-on login frequency or SAML single sign-on unlock frequency settings.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Sign-in settings.
- Click Autofill username on SAML IdP login page.
- Enter the URL parameter name.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
(Optional) Step 8: Control content on the sign-in and lock screens
When SAML or OpenID Connect single sign-on is used for user authentication, or when configuring network connections with Captive Portals outside of user sessions, you can block or allow URLs on user sign-in and lock screens using the DeviceAuthenticationURLBlocklist and DeviceAuthenticationURLAllowlist policies.
For more details, see Blocked URLs on the sign-in / lock screens and Blocked URL exceptions on the sign-in / lock screens.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Sign-in settings.
- Click Blocked URLs on the sign-in / lock screens.
- Specify which URLs to block from the sign-in and lock screens.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
- Click Blocked URL exceptions on the sign-in / lock screens.
- Specify which URLs to allow from the sign-in and lock screens.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
(Optional) Step 9: Turn on automatic sign-in screen refresh
If the 3P IdP sign-in page using SAML or OpenID SSO is permanently shown on the sign-in screen, we recommend that you use the automatic sign-in screen refresh. This prevents the online sign-in page from timing out when it’s left idle. We recommend setting the refresh interval to be at least 1 minute shorter than the expiration time of your sign-in page. Read about the Automatic online sign-in screen refresh setting.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to Sign-in settings.
- Click Automatic online sign-in screen refresh
- Enter a value between 5 and 10080 minutes.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
Step 10: Roll out SAML SSO for devices
After testing SAML SSO for devices on 5% of your organization, you can roll it out to everyone by enabling the same policy for additional groups. If you run into issues, contact Google Cloud support.
Sign in to a ChromeOS device with SAML single sign-on
Once SAML SSO on devices has been configured for your organization, users will see the following steps when they sign in to a device.
Requirements
- You’ve completed all of the steps described above.
Sign-in Sequence:
Instruct your users to do the following when first signing in to their device. Note: You will need to test this before rolling it out to your organization.
- Enter your username (full email address) on the ChromeOS device sign in page. A password is not needed in this step.
- You will be taken to your organization’s SAML SSO page. Enter your SAML credentials on the SAML provider login page.
- If prompted, re-enter your password to complete sign-in. This step is only necessary if your Identity Provider has not yet implemented the Credentials Passing API. This is necessary to allow offline access to your device and also to be able to unlock it.
- When signed in successfully, your session starts and the browser opens. The next time you sign in, you will only need to enter your password once when you start up your device. If you run into issues, please contact your IT administrator.
FAQs
Can I use Windows Integrated Authentication (WIA) to allow users sign in to browser-based apps and the intranet without having to manually enter their username and password?
No. We no longer support WIA in Active Directory Federation Services (AD FS). For more details, see Migrating to cloud-based Chrome management.
After signing in with my SAML provider, I am prompted to re-enter my password. Is that normal?
Yes. This is necessary to allow offline access to your ChromeOS device and to be able to unlock it. We have an API that SAML vendors can implement to remove the need for this confirmation step.
If a user changes their password on another device, how do you make sure the device gets updated to unlock with the new password?
We recommend you use the simple update method on our Directory API which will notify our authentication server when a password is changed. Enter the password value in the Request body. If the API is not used, the password change will be detected at the next online login flow. By default, the device will force an online sign in every 14 days even if the password didn't change. You can change this period in the Admin console by going to DevicesChromeSettingsUsers & browsersSAML single sign-on online login frequency.
My password has special characters, will it work?
We support ASCII printable characters only.
I see the screen “Oops, couldn't sign you in. Sign-in failed because it was configured to use a non-secure URL. Please contact your administrator or try again”. What should I do?
If your employees are reporting this error message, it means that the SAML IdP is trying to use an HTTP URL and only HTTPS is supported. It is important that the entire sign-in flow uses HTTPS only. So even if the initial sign-in form is served over HTTPS, you can get this error if your IdP redirects to an HTTP URL somewhere later in the process. If you fix this and users are still getting the error message, please contact Google Cloud support.
I am an IT administrator. Why am I am not being redirected to my SAML Identity Provider?
This is by design. In the event of something going wrong during setup, we still want the administrator to be able to login and troubleshoot the problem.
Does SSO work with TLS and SSL content filters?
Yes. Please follow Set up TLS (or SSL) inspection on ChromeOS devices for setup. In addition to allowed domains documented in Set up a host name allowlist, you also need to allow your SSO Identity Provider domain and www.google.com.
How does SSO work with camera permissions?
To give third party software direct access to the device camera on behalf of your SSO users, you can enable single sign-on camera permissions.
Go to DevicesChromeSettingsDevice settingsSingle sign-on camera permissionsAllowlist of single sign-on camera permissions.
For more details, see Set ChromeOS device policies.
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.