Enable SAML for Google Apps for subset of users Skip to main content
https://support.okta.com/help/answers?id=906f0000000xzchiao&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Tony PascualTony Pascual 

Enable SAML for Google Apps for subset of users

Greetings All,

I'm looking to setup Google Apps for Education and enable SAML as the authentication method.  From what I've read it seems once its enabled it will apply to all users of the entire Google Apps domain.  Is this correct?

If so, are there any phased roll out suggestions?  Ideally what i want to do is roll this out a subet of students strictly, teachers/staff not included, to test out functionality and get an understanding of login behavior to educate the students.  Then once all is confirmed roll it out to the rest of the student population.  Again teachers will not be apart of the Okta/Google Apps rollout for now.  

Is there way to accomplish this or is SWA the only way to go about this method of rollout?  

Thanks in advance to all who answer/provide suggestions.

Tony 
JT StoferJT Stofer (Okta, Inc.)
Tony, 

The phased roll out can be achieved if you have IP address subnet separation between entities.  You can then apply the SAML configuration to an a specific subset.  

You can find the detail in our Google Apps Deployment Guide found at this link.  https://support.okta.com/help/articles/Knowledge_Article/Google-Apps-Deployment-Guide

JT
JT Stofer, Sr. Technical Consultant, Okta
Jonathan WinnJonathan Winn
Hi Tony

We have had the exact same issues when planning rollout to 5000 users.  Google doesn't have the flexibility to opt certain users out - only as JT mentioned via Subnets.  To minimise the impact of the rollout, we asked everyone to pre-register with Okta so that they were all setup with MFA, etc.  This enabled Okta password sync to do its stuff to align the password with AD ahead of the switch on.  At go-live, it was a simple tick in the box in the Google Admin console and update the Okta config to show the icons to the users.  This significantly reduced the imact at go-live.

We have feature requested the ability to exclude certain users from SSO in Google but I doubt it will come anytime soon!

Jonathan 
Tony PascualTony Pascual
Greetings JT and Jonathan,

 To JT - I appreicate the reply but your suggestion may not align for my deployment since all users are at the same site/external ip.  

To Jonathan  - I appreicate the reply.  I like the staging and early user education for the pending change.  

This rollout is a bit of a challenge since its a school and scope is for students currently since account managment is always a task.  Teachers are being omitted for now, but naturally both students and teachers are onsite and access the same Google Apps domain from the same site/external ip.

I'm leaning towards SWA so Okta can at least be used, gain comfort/adoption.  Then during a longer break potentially change from SWA to SAML. 

If there are any other comments/suggestions, I'm open to feedback.

Best,
Tony