Google Okta Chromebook Identity Identity Management & SSO Authentication SSO

Chrome Enterprise : How to configure Okta as IdP

Jul 16, 2021 5 min read
Chrome Enterprise : How to configure Okta as IdP

In this article we can see how to configure Okta as the man IdP for your Google Workspace tenant.

Introduction

Security Assertion Markup Language (SAML) single sign-on (SSO) support for Chrome devices allows users to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your organization.

Their passwords can remain within your organization's Identity Provider (IdP). Signing in is very similar to signing in to a Google Workspace (G Suite) account from a browser via SAML SSO with Google Workspace (G Suite). However, because a user is signing in to a device, there are several additional considerations.

With this "How to", the idea is to show you that you can have a Chromebook and be presented with an Okta authentication page rather than the standard Google login challenge.

Add Google Workspace application in Okta

The first step is to add the “Google Workspace” application on your Okta admin console.

From your Okta portal (homepage), click on “Admin”.

Go to “Applications”.

Click on “Add Application”.

Enter “Google Workspace” on the search field and click on “Google Workspace”.

Click on “Add”.

Enter your Google domain name and click on “Next”.

Select “SAML 2.0” and click on ”Save”.

Assign users and groups to your Google Workspace application

Now that we have the "Google Workspace" application, we will manage user affectation.

I. Assign users

We can assign users manually.

From the “Assignments” tab, click on “Assign” then on “Assign to People”.

Select the user and click on “Assign”.

It’s then possible to manage attributes, Organizational units and Licenses.
After this, click on “Save and Go Back”.

Click on “Done”.

II. Assign Groups

For more flexibility, it’s also possible to assign user groups.

From the “Assignments” tab, click on “Assign” then on “Assign to Groups”.

Select the user group and click on “Assign”.

As a user assignment, it’s possible to manage Organizational units and licenses.
Then click on “Save and Go Back”.

Click on “Done”.

Single sign-On configuration

We will see now how to configure the SSO feature from your Google Admin Console.

Click on “Sign On” then on “View Setup Instructions”.

Scroll down on the “Complete the Single Sign-On Screen” section.

You will find URLs information. Copy all information.

Click on the “Verification certificate” URL to download the certificate.

Now, you can connect to your Google Admin console, and from there you can click on “Security”.

Scroll down on the page and click on “Set up single sign-on (SSO) with a third party IdP”.

Click on “Set up SSO with a third-party identity provider”.

Paste the Sign-in and Sign-out page URLs from Okta.

Paste the following URL on the “Change password URL”: https://youroktatenant.okta.com/enduser/settings

Then click on “Replace certificate” and select the Okta certificate downloaded previously.

Finally click on “Save”.

Now from the menu, click on “Devices” > “Chrome” > “Settings” > “Users & browsers”.

From the “User & Browser settings” tab:

Create a filter with “SAML” to directly have the feature that we need.

Select the OU on target. Then select “Enable SAML-based single sign-on for Chrome devices”.

Then, click on “Save”.

Note: you can modify the SSO Online Login Frequency if needed.

Finally, click on “Device Settings”.

From the “Device Settings” tab:

Create a filter with “SAML” to directly have the feature that we need.

Select the OU on target.

Then select “Allow users to go directly to SAML SSO IdP page” and “Enable transfer of SAML SSO Cookies into user session during sign-in”.

Finally, click on “Save”.

Provision users and groups to Google Workspace

Let's go back on your Okta Console.

Click on “Provisioning” then on “Provisioning to app”. With this option, you can provision Google Workspace from Okta.

And “Enable”:

  • Create users
  • Update User Attributes
  • Deactivate Users

Select “Integration” and “Enable API Integration” to authenticate Okta on Google Workspace.

To provision groups, select the “Push Groups” menu and add Group on “Pushed Groups”.

Search the group that you want to be pushed from Okta to Google Workspace, and select it.

Then match your Okta group with your Google Workspace group.
And “Save”.

Conclusion

Good Job, we have now our Google Workspace tenant federated with Okta.

As explained this allows us to authenticate our Google accounts trought Okta acting as the main IdP for our company.

The users can access their Google Workspace environment directly from the Okta Portal with the SSO experience.

Thanks for reading us and stay tunned for more content.

Published by
Tristan Barthe
Tristan Barthe
Absolute passionate about new technology, Tristan joined Mobinergy in September 2017 after 8 years at Apple Always looking for challenges, he is now our Google Expert in the green Team !
Great! Next, complete checkout for full access to Mobinergy Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Mobinergy Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.