This article aims to help Admins who may encounter issues with Google Workspace/G-Suite Single Sign-On (SSO) Security Assertion Markup Language (SAML) login, like:
- Google is not redirecting users to Okta for authentication and allowing them to log in directly.
- Users created in Google Workspace attempting to log into the Google account directly are being redirected to the Okta login page.
- G-Suite
- SP initiated flow
- Single Sign On (SSO)
- Network Masks
- Google Organizational Units (OUs)
- Okta Classic Engine
G-Suite has a concept of "Network Masks", and it determines which IP addresses will be affected by an SSO process.
A misconfigured network mask may prevent the user from getting redirected to Okta or routes all users that are part of the IP range to be required to log in through Okta.
Another cause is that the users experiencing login issues are not members of the Google OU configured to redirect to Okta for authentication. This can be checked by logging in to the Google Admin Center > Authentication > SSO with third Party Idp > Manage SSO profile assignments.
To resolve the log issues, follow the steps mentioned below:
- Navigate to G-Suite's admin console using the administrative account.
- Click on Security.
- Scroll down and click on Set up single sign-on (SSO) with a third party IDP.
- Scroll down to Network Masks and verify that the proper IP address was configured. An incorrect IP address will prevent users from getting redirected to Okta's login page.
- If Step 4 is correct, add the user to the OU configured at Manage SSO profile assignments.
NOTE: If the issue continues, please contact the Google Workspace team to determine why it is not directing users to Okta for authentication.
