In this article we can see how to configure Okta as the man IdP for your Google Workspace tenant.
Introduction
Security Assertion Markup Language (SAML) single sign-on (SSO) support for Chrome devices allows users to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization.
Their passwords can remain within your organization's Identity Provider (IdP). Signing in is very similar to signing in to a Google Workspace (G Suite) account from a browser via SAML SSO with Google Workspace (G Suite). However, because a user is signing in to a device, there are several additional considerations.
With this "How to", the idea is to show you that you can have a Chromebook and be presented with an Okta authentication page rather than the standard Google login challenge.
Add Google Workspace application in Okta
The first step is to add the “Google Workspace” application on your Okta admin console.

From your Okta portal (homepage), click on “Admin”.

Go to “Applications”.

Click on “Add Application”.

Enter “Google Workspace” on the search field and click on “Google Workspace”.

Click on “Add”.

Enter your Google domain name and click on “Next”.

Select “SAML 2.0” and click on ”Save”.

Assign users and groups to your Google Workspace application
Now that we have the "Google Workspace" application, we will manage user affectation.
I. Assign users
We can assign users manually.
From the “Assignments” tab, click on “Assign” then on “Assign to People”.

Select the user and click on “Assign”.

It’s then possible to manage attributes, Organizational units and Licenses.
After this, click on “Save and Go Back”.

Click on “Done”.

II. Assign Groups
For more flexibility, it’s also possible to assign user groups.
From the “Assignments” tab, click on “Assign” then on “Assign to Groups”.

Select the user group and click on “Assign”.

As a user assignment, it’s possible to manage Organizational units and licenses.
Then click on “Save and Go Back”.

Click on “Done”.

Single sign-On configuration
We will see now how to configure the SSO feature from your Google Admin Console.
Click on “Sign On” then on “View Setup Instructions”.

Scroll down on the “Complete the Single Sign-On Screen” section.
You will find URLs information. Copy all information.
Click on the “Verification certificate” URL to download the certificate.

Now, you can connect to your Google Admin console, and from there you can click on “Security”.

Scroll down on the page and click on “Set up single sign-on (SSO) with a third party IdP”.

Click on “Set up SSO with a third-party identity provider”.
Paste the Sign-in and Sign-out page URLs from Okta.
Paste the following URL on the “Change password URL”: https://youroktatenant.okta.com/enduser/settings
Then click on “Replace certificate” and select the Okta certificate downloaded previously.
Finally click on “Save”.

Now from the menu, click on “Devices” > “Chrome” > “Settings” > “Users & browsers”.

From the “User & Browser settings” tab:
Create a filter with “SAML” to directly have the feature that we need.
Select the OU on target. Then select “Enable SAML-based single sign-on for Chrome devices”.
Then, click on “Save”.
Note: you can modify the SSO Online Login Frequency if needed.
Finally, click on “Device Settings”.

From the “Device Settings” tab:
Create a filter with “SAML” to directly have the feature that we need.
Select the OU on target.
Then select “Allow users to go directly to SAML SSO IdP page” and “Enable transfer of SAML SSO Cookies into user session during sign-in”.
Finally, click on “Save”.

Provision users and groups to Google Workspace
Let's go back on your Okta Console.
Click on “Provisioning” then on “Provisioning to app”. With this option, you can provision Google Workspace from Okta.
And “Enable”:
- Create users
- Update User Attributes
- Deactivate Users

Select “Integration” and “Enable API Integration” to authenticate Okta on Google Workspace.

To provision groups, select the “Push Groups” menu and add Group on “Pushed Groups”.

Search the group that you want to be pushed from Okta to Google Workspace, and select it.

Then match your Okta group with your Google Workspace group.
And “Save”.

Conclusion
Good Job, we have now our Google Workspace tenant federated with Okta.
As explained this allows us to authenticate our Google accounts trought Okta acting as the main IdP for our company.
The users can access their Google Workspace environment directly from the Okta Portal with the SSO experience.
Thanks for reading us and stay tunned for more content.