Partial SSO for Google Workspace & Cloud Identity
Hey, Google Admins, this is Goldy again, and today I’ll talk to you about Google’s newly launched functionality called Partial Single Sign on or Partial SSO, so in case if you are using or considering Google workspace or Google cloud identity and you plan to use or if you’re using single sign on, this new functionality will be very helpful.
let me share my Google slides first to make you understand how this functionality will be working, and then I’ll show you the live demonstration to see that in action.
Now, before even we talk about the new functionality, let’s take a step back and understand, what will be missing without this new partial single sign on functionality?
If you are a Google Workspace or cloud identity or GCP customer, what happens is if you plan to integrate your authentication with a third party identity provider like Azure or Ping, or Okta etc, then once you turn on single sign on, all your users will be redirected to that third party identity provider (IdP) for authentication except the super admins.
But sometimes you would have use cases where you need partial authentication system, for e.g where all your full time employees will be redirected to your third party identity provider, but your contractors should rather be leveraging Google’s authentication system.
This launch will help you with those use cases. So now let’s understand the flow of authentication with Google Workspace Partial SSO
Google Workspace Partial SSO - Authentication Flow
So this is how the authentication flow looks like with the partial single sign on, you would have your third party identity provider profile created as usual, you have done that already if you’re using SSO but what’s new here is that instead of just turning on the SSO for the whole tenant, now you can specifically define whether this SSO profile will be applicable to certain Google Workspace (or Cloud Identity) groups or organizational units.
After the partial SSO configuration, when your users go to log in, they will enter their email address, and based on that, there will be an identity provider lookup behind the scene to see whether this user belongs to a specific organizational unit or group.
Then, based on what’s behind that orgUnit or group in terms of the authentication profile (e.g Is that the Google authentication profile, which means users should be redirected then to Google workspace or cloud identity login page itself, or it’s the third party identity provider like Okta or Ping or Azure, and then users will be redirected to that IDP).
System Requirements to setup Google Workspace Partial SSO
Now, before I show you the live demonstration, let me give you just a quick piece of information. Let’s talk about the logistics or the requirements to set up a Partial SSO.
- Third Party IdP : You will need a third party identity provider such as Okta, Ping, Azure, ADFS etc.
- Security Settings Privilege : As a delegated administrator, you would need security settings privilege.
- OrgUnit & Groups Privilege : As a delegated admin, you should also have groups and orgUnit read privilege.
Once you have orgUnits read privilege, you should be able to apply the settings on organizational units, but in case if you do not have groups read-only permission, then you will not be able to see the groups when you are doing Partial SSO configuration, and you won’t be able to apply the policy on groups.
User Privilege : User read privilege is optional. You can’t apply the partial single sign on (Partial SSO) policy to an individual user. However with user read permission (on the screen where you will be making these changes) you would be able to enter a user’s email address to see which profile, whether it’s Google authentication or the third party IdP that is assigned to this specific user.
When I say by design, think of a scenario where just in case, if your IDP server goes down, you do not want to be locked out and let all your people not be able to log in to Google. That's why if you're a super admin in that specific scenario, you can just log in with your Google credentials, turn off single sign on, perform troubleshooting, and turn if back on once you have your SSO server working.
Google Workspace Partial SSO - Live Demonstration
So with that understanding, let’s look at the live demonstration of partial single sign on in Google workspace or cloud identity.
Here I am in my Google Workspace admin console. So first I will go to security settings to show you that new functionality.
If I go to third party identity providers, I have already configured Okta as my IdP, but what’s new here is this assignment of profile.
When I click on manage assignments here, I can click on the organizational unit (for example, when I click on Goldy AD, which is my root orgUnit, I’ve said no profile assignment for it, which means users in this tenant or orgUnit should be signing in via Google.
However, for the contractors organizational unit, I have overridden it and said that it has my domain’s SSO profile assigned, so essentially when my users in contractor organizational unit now login Google Workspace or Google Cloud Identity, they should be redirected to talk to Okta.
So now let me open an incognito window and let’s see the demo. So I will go to google drive, for example, and here, if I say employee at my domain dot com, which is my Google Workspace user in my main tenant.
It is asking me for my Google Workspace password, which means Google is the authentication provider.
However, if I go ahead and change that email address to contractor at my domain dot com, because this contractor’s email address is part of my contractors organizational unit, which has that SSO profile assigned, it should ideally be redirected to Okta for authentication.
So when I click next, you will see that I’ve been redirected to Okta. So this is how this functionality called partial single sign or Partial SSO works.
Partial SSO - Conclusion
As you see, this Partial SSO new feature would be very helpful for cases where you want to leverage 3rd party IdP along with Google’s authentication for subset of your users in Google Workspace or Google Cloud Identity.
I hope it was helpful for you to understand how partial sso would work, in case if you have any feedback or comment or question, do not hesitate to put it below and I’ll be happy to collaborate.
Thank you so much.