Enable SSO for cloud apps

Business problem

Enterprise companies are using cloud applications at an ever increasing pace.
By extending Single Sign-On (SSO) to cloud apps, employees can use their corporate credentials to sign into software as a service (SaaS) apps or in-house apps that are hosted in the cloud.

SSO provides a single point of authentication through an Identity provider (IdP). Users can access third-party cloud apps but their credentials aren't stored with the third party, and in many cases there aren't credentials for the third-party apps.

Your company wants to increase security by enforcing SSO while providing the convenience of SSO to your users. Access to all cloud apps at your company must be authenticated by an IdP.

Solutions

To provide users SSO-based access to selected cloud apps, Cloud Identity as your IdP supports the OpenID Connect (OIDC) and Security Assertion Markup Language 2.0 (SAML) protocols.

Cloud Identity has a large catalog of SAML apps. G Suite users can get OIDC apps in the G Suite Marketplace. While most cloud apps only support one of these protocols, a few support both.

SAML catalog apps

Advantages

  • SAML is well-established in the enterprise.
  • Only admins can install the apps so they control which apps are available to employees.
  • The third-party SaaS provider and Google work together on the connector, and Google validates apps in the catalog.
  • Installation is quick and smooth.

Disadvantages

  • Setting up a SAML app is a bit more work than setting up an OIDC app.
  • Not all enterprise apps support SAML, and some enterprise apps charge more for SAML features.

OIDC G Suite Marketplace apps

Advantages

  • OIDC is a more lightweight, modern protocol than SAML.
  • Admins and users can install the apps, but users can only install apps the admin has whitelisted.
  • G Suite Marketplace apps extend the functionality of G Suite. Because the apps use the Core Google Services API, they are well-integrated with Google products. Apps are reviewed for compliance to G Suite Marketplace requirements.

Disadvantage

  • OIDC isn't widely adopted by enterprise apps.

Recommendations

Explore the SAML and G Suite Marketplace catalogs. Some apps are in both catalogs. In that case if you're a G Suite customer and your corporate IT policy supports OIDC, we recommend the G Suite Marketplace app.

If the app you want isn't in either catalog and it supports SAML, install it as a custom SAML app. Note that because custom SAML apps are configured for the organization that installs the apps, they aren't available in the general SAML catalog.

Install the apps that different organizations in your company need, and then assign each app only to the organizations that need it.

Third-party Identity providers

If you have a third-party IdP, you can still configure SSO for third-party apps in the Cloud Identity catalog. In this case, user authentication occurs in the third-party IdP, and Cloud Identity manages the cloud apps.

To use Cloud Identity for SSO, your users need Cloud Identity accounts. They sign in through your third-party IdP or using a password on their Cloud Identity accounts.

Example

In addition to line of business applications, the employees at Company A use several types of cloud apps in their daily work:

  • Collaboration suite
  • Messaging and communication
  • Conferencing
  • Customer relationship management (CRM)
  • Human resources (HR)
  • Customer support

Company A had an on-premise IdP they were hosting themselves. To implement increased security, lower support costs, and scalability, they want to move to Cloud Identity as their primary IdP. Employees want the convenience of using a single set of sign-on credentials to access all of their cloud apps. They plan to authenticate all cloud apps against their Google identity using SAML and OIDC.

IT sets up their cloud apps for SSO:

  • Make a list of the cloud apps their employees are using.
  • Locate these apps in the G Suite Marketplace or SAML catalog.
  • Set up SSO for these apps by turning on SSO for them one by one.
  • Assign the appropriate apps to specific organizations, such as:
    • Messaging, HR, and collaboration apps to the top-level organization so everyone gets them.
    • CRM to the sales organization.
    • Customer support app to Support.

Security key enforcement varies by organization.

Employees sign into Cloud Identity. Through SSO, they can access the cloud apps they need using their Cloud Identity credentials.

Sign in to cloud apps through SSO.