The sequence of posts describing how to federate from Google to Microsoft Azure AD (SSO) has remained one of the most popular subjects on the site.
However, ever since the process was first described it always came with a warning.
If you turn on SSO it applies to all non-admin accounts in the Google organisation.
Historically the capability to scope SSO to a particular group of users was never provided, it was either ON or OFF for everybody. The IP subnet field gave you some control over testing and rollout but other than that it was all or nothing.
This wasn't too much of an issue for a school operating within a single organisation but for larger Multi-Academy Trust (MATS) that managed dozens of schools under one tenancy it was a bit of a show stopper. In this situation you couldn't turn on SSO for one school without affecting all the others.
However now that SSO profile assignment has arrived as a beta feature, all that has changed.
SSO profile assignment is simple and easy to implement. The standard Single sign-on (SSO) with third-party identity providers (IDPs) dialog in the Security section remains unchanged. You need to fill that in with the same data as before.
What has changed is the fact that once you turn the profile ON this action simply marks the profile as being active from the root OU and provides you with a dialog to update it.
Therefore to fix SSO to a particular OU you need to edit the root entry to turn the feature OFF and then add additional entries at lower OU levels to override the setting and turn it back ON. Basically SSO now operates like all the other Google Apps features and settings.
In the example above SSO is turned OFF at the root and is only active for the Students OU.
Selecting the MANAGE option (above) displays the OU tree with the ability to select and edit the properties of each OU. Those OU’s with overrides set are marked with a grey dot (below)
Removing the settings from an OU is not quite as simple as selecting the REMOVE SCOPE option. You first need to clear the override by selecting INHERIT. The Remove Scope option then removes it from the list shown above.
As well as OU’s Google provides the ability to set SSO based on Groups and Users. This is a particularly useful feature if your OU structure does not map directly to the requirements for SSO.
Like other implementations of groups, assignment to a group or user can only be used to turn the feature ON and not as an exclusion
Conclusion.
Although still a beta feature SSO profile assignment worked exactly as expected in a recent implementation for a multi-site MAT and certainly removed a large amount of risk from the project. All in all, a great new feature that’s been long overdue on the G Suite Admin console.
No comments:
Post a Comment