Enterprise companies are using cloud apps at an ever-increasing pace. By extending Single Sign-On (SSO) to cloud apps, employees can use their corporate credentials to sign into software as a service (SaaS) apps or in-house apps hosted in the cloud.
SSO provides a single point of authentication through an Identity provider (IdP). Users can access third-party cloud apps but their credentials aren't stored with the third party. In many cases, credentials for the third-party apps don't exist.
Your company wants to increase security by enforcing SSO while providing the convenience of SSO to your users. An IdP must authenticate access to all cloud apps at your company.
To provide users with SSO-based access to selected cloud apps, Cloud Identity as your IdP supports the OpenID Connect (OIDC) and Security Assertion Markup Language 2.0 (SAML) protocols.
Cloud Identity has a large catalog of SAML apps. G Suite users can get OIDC apps in the G Suite Marketplace. While most cloud apps only support one of these protocols, a few support both.
SAML catalog apps
- SAML is well-established in the enterprise.
- Only admins can install the apps, so they control which apps are available to employees.
- The third-party SaaS provider and Google work together on the connector, and Google validates apps in the catalog.
- Installation is quick and smooth.
- Setting up a SAML app is a bit more work than setting up an OIDC app.
- Not all enterprise apps support SAML, and some enterprise apps charge more for SAML features.
OIDC G Suite Marketplace apps
- OIDC is a more lightweight, modern protocol than SAML.
- Admins and users can install the apps, but users can only install apps the admin has whitelisted.
- G Suite Marketplace apps extend the functionality of G Suite. Because the apps use the Core Google Services API, they are well-integrated with Google products. Apps are reviewed for compliance to G Suite Marketplace requirements.
- OIDC isn't widely adopted by enterprise apps.
Explore the SAML and G Suite Marketplace catalogs. Some apps appear in both catalogs. In that case if you're a G Suite customer and your corporate IT policy supports OIDC, we recommend the G Suite Marketplace app.
If the app you want isn't in either catalog and it supports SAML, install it as a custom SAML app. Note that because custom SAML apps are configured for the organization that installs the apps, they aren't available in the general SAML catalog.
Install the apps that different organizations in your company need, and then assign each app only to the organizations that need it.
Third-party identity providers
If you have a third-party IdP, you can still configure SSO for third-party apps in the Cloud Identity catalog. User authentication occurs in the third-party IdP, and Cloud Identity manages the cloud apps.
To use Cloud Identity for SSO, your users need Cloud Identity accounts. They sign in through your third-party IdP or using a password on their Cloud Identity accounts.
In addition to line of business apps, the employees at Company A use several types of cloud apps in their daily work:
- Collaboration suite
- Messaging and communication
- Customer relationship management (CRM)
- Human resources (HR)
- Customer support
Company A used an on-premise IdP they hosted themselves. To increase security, lower support costs, and boost scalability, they want to move to Cloud Identity as their primary IdP. Employees want the convenience of using a single set of sign-on credentials to access all of their cloud apps. They plan to authenticate all cloud apps against their Google identity using SAML and OIDC.
IT sets up their cloud apps for SSO:
- Make a list of the cloud apps employees use.
- Locate these apps in the G Suite Marketplace or SAML catalog.
- Set up SSO for these apps by turning it on for them one by one.
- Assign the appropriate apps to specific organizations, such as:
- Messaging, HR, and collaboration apps to the top-level organization (so everyone gets them)
- CRM to the sales organization
- Customer support app to Support
Employees sign in to Cloud Identity. Through SSO, they can access the cloud apps they need using their Cloud Identity credentials.
- SSO: Set up SSO with Google as your Identity provider
- Federate Google Cloud Platform with an on-premises Active Directory or with Azure Active Directory
- SAML apps catalog
- OIDC apps catalog: G Suite Marketplace
- G Suite Marketplace app requirements: Application Requirements
- Custom SAML app: Set up your own custom SAML application
- Specify apps for an organization: Set up your own custom SAML application