Google Workspace offers SSO integration with 3rd party ID providers. Great! Enabling is a breeze. The only thing is, that the enablement process flow lacks any logic. Let me explain why.
Take the scenario that you want to enable SSO in a production environment. Meaning, you want to test is before hand, and you may even want to deploy it in phases to ensure that the IT servicedesk doesn't get to many concerned users about the new login method.
The good thing is, Google introduced late 2021 the capability to assign the SSO configuration per OU or Google Group. Great! https://workspaceupdates.googleblog.com/2021/11/saml-partial-sso-generally-available.html.
Based on the title you would expect that the SSO configuration can be configured in the root of the domain and can be adjusted for the specific Groups or OU. Just the you would do it for any other configuration in Google Workspace
But hey, why would Google admins want consistency? Why would we use a proven (and liked) approach. Lets take a challenge and do this implementation a bit different. I am not sure that the Google team was thinking, it must have been something like this as they went for a very different approach.
What Google implemented is that you first have to enable the SSO profile for your whole organisation. After that is enabled, you can start 'Managing the SSO profile assignment'. As you can see in the screenshot below. When SSO profile is not yet enabled. The 'Manage SSO profile assignment' section to disable the SSO profile for some OUs or Groups can not yet be configured.
As a result, you first have to enable it for everyone in your organisation, then you can start switching it of for specific OUs or Groups. If you need to disable it during implementation for many OUs those users will have a wrong configuration (and will not be able to login) during your change window. That is a bad experience for users.
A very non-Googly flow for configuring SSO per OU or Group. Why is it so designed that users will always have downtime during the implementation?
Dear Google,
Please reconsider the implementation logic for your customers.
Thank you!
Comments
Post a Comment