Play Video

Partial SSO for Google Workspace & Cloud Identity

Hey, Google Admins, this is Goldy again, and today I’ll talk to you about Google’s newly launched functionality called Partial Single Sign on or Partial SSO, so in case if you are using or considering Google workspace or Google cloud identity and you plan to use or if you’re using single sign on, this new functionality will be very helpful. 

let me share my Google slides first to make you understand how this functionality will be working, and then I’ll show you the live demonstration to see that in action.

Partial SSO for Google Workspace and Cloud Identity

Now, before even we talk about the new functionality, let’s take a step back and understand, what will be missing without this new partial single sign on functionality?

If you are a Google Workspace or cloud identity or GCP customer, what happens is if you plan to integrate your authentication with a third party identity provider like Azure or Ping, or Okta etc, then once you turn on single sign on, all your users will be redirected to that third party identity provider (IdP) for authentication except the super admins.

But sometimes you would have use cases where you need partial authentication system, for e.g where all your full time employees will be redirected to your third party identity provider, but your contractors should rather be leveraging Google’s authentication system. 

This launch will help you with those use cases. So now let’s understand the flow of authentication with Google Workspace Partial SSO

Google Workspace Partial SSO - Authentication Flow

Google Workspace Partial SSO - Authentication Flow diagram

So this is how the authentication flow looks like with the partial single sign on, you would have your third party identity provider profile created as usual, you have done that already if you’re using SSO but what’s new here is that instead of just turning on the SSO for the whole tenant, now you can specifically define whether this SSO profile will be applicable to certain Google Workspace (or Cloud Identity) groups or organizational units. 

After the partial SSO configuration, when your users go to log in, they will enter their email address, and based on that, there will be an identity provider lookup behind the scene to see whether this user belongs to a specific organizational unit or group.

Then, based on what’s behind that orgUnit or group in terms of the authentication profile (e.g Is that the Google authentication profile, which means users should be redirected then to Google workspace or cloud identity login page itself, or it’s the third party identity provider like Okta or Ping or Azure, and then users will be redirected to that IDP).

System Requirements to setup Google Workspace Partial SSO

Now, before I show you the live demonstration, let me give you just a quick piece of information. Let’s talk about the logistics or the requirements to set up a Partial SSO.

6. Admin privileges required for Partial SSO
  1. Third Party IdP : You will need a third party identity provider such as Okta, Ping, Azure, ADFS etc.

  2. Security Settings Privilege : As a delegated administrator, you would need security settings privilege.

  3. OrgUnit & Groups Privilege : As a delegated admin, you should also have groups and orgUnit read privilege.

    Once you have orgUnits read privilege, you should be able to apply the settings on organizational units, but in case if you do not have groups read-only permission, then you will not be able to see the groups when you are doing Partial SSO configuration, and you won’t be able to apply the policy on groups. 

  4. User Privilege : User read privilege is optional. You can’t apply the partial single sign on (Partial SSO) policy to an individual user. However with user read permission (on the screen where you will be making these changes) you would be able to enter a user’s email address to see which profile, whether it’s Google authentication or the third party IdP that is assigned to this specific user.

7. Super Admins bypass Google Workspace SSO

Google Workspace Partial SSO - Live Demonstration

9. Partial SSO live demo

So with that understanding, let’s look at the live demonstration of partial single sign on in Google workspace or cloud identity.

10. Go to third party identity

Here I am in my Google Workspace admin console. So first I will go to security settings to show you that new functionality.

11. i have already downloaded Okta

If I go to third party identity providers, I have already configured Okta as my IdP, but what’s new here is this assignment of profile. 

14. Click on your root orgUnit

When I click on manage assignments here, I can click on the organizational unit (for example, when I click on Goldy AD, which is my root orgUnit, I’ve said no profile assignment for it, which means users in this tenant or orgUnit should be signing in via Google.

15. Assign SSO profile to contractors OrgUnit

However, for the contractors organizational unit, I have overridden it and said that it has my domain’s SSO profile assigned, so essentially when my users in contractor organizational unit now login Google Workspace or Google Cloud Identity, they should be redirected to talk to Okta.

18. Enter your email address

So now let me open an incognito window and let’s see the demo. So I will go to google drive, for example, and here, if I say employee at my domain dot com, which is my Google Workspace user in my main tenant.

19. It asking for your Google Workspace password

 It is asking me for my Google Workspace password, which means Google is the authentication provider.

20. Try another email id which belongs to SSO profile

However, if I go ahead and change that email address to contractor at my domain dot com, because this contractor’s email address is part of my contractors organizational unit, which has that SSO profile assigned, it should ideally be redirected to Okta for authentication.

22. You will see that its redirecting to 3rd party identity provider

So when I click next, you will see that I’ve been redirected to Okta. So this is how this functionality called partial single sign or Partial SSO works.

Partial SSO - Conclusion

As you see, this Partial SSO new feature would be very helpful for cases where you want to leverage 3rd party IdP along with Google’s authentication for subset of your users in Google Workspace or Google Cloud Identity.

I hope it was helpful for you to understand how partial sso would work, in case if you have any feedback or comment or question, do not hesitate to put it below and I’ll be happy to collaborate.

Thank you so much.

RECOMMENDED READING

As you just read Google Workspace (& Cloud Identity) Partial SSO, I would recommend following as complimentary reading.
Google Workspace to Office 365 SSO & Provisioning Guide
AdminGoogle WorkspaceSecuritySSO

Google Workspace to Office 365 SSO and Provisioning Guide

Read More →
Okta - Google - Integration - Guide
AdminGoogle WorkspaceSecuritySSO

Definitive Guide to Okta & Google Integration

Read More →
Google Workspace Password Vaulted Apps
AdminGoogle WorkspaceSecuritySSO

Securely login to any app with Google Workspace Password Vaulted Apps

Read More →

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top