<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VMoSANOkta Classic EngineOkta Integration NetworkAnswered2024-04-17T11:26:08.000Z2015-10-12T20:31:46.000Z2016-03-02T14:45:11.000Z

efac2 (efac2) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
Enable SAML for Google Apps for subset of users
Greetings All,

 

I'm looking to setup Google Apps for Education and enable SAML as the authentication method.  From what I've read it seems once its enabled it will apply to all users of the entire Google Apps domain.  Is this correct?

 

If so, are there any phased roll out suggestions?  Ideally what i want to do is roll this out a subet of students strictly, teachers/staff not included, to test out functionality and get an understanding of login behavior to educate the students.  Then once all is confirmed roll it out to the rest of the student population.  Again teachers will not be apart of the Okta/Google Apps rollout for now.  

 

Is there way to accomplish this or is SWA the only way to go about this method of rollout?  

 

Thanks in advance to all who answer/provide suggestions.

 

Tony
  • 3 answers
  • 1.15K views
igav0 likes this.

  • jstofer1.3784213305222263E12 (Okta, Inc.)

    Tony, 

     

    The phased roll out can be achieved if you have IP address subnet separation between entities.  You can then apply the SAML configuration to an a specific subset.  

     

    You can find the detail in our Google Apps Deployment Guide found at this link.  https://support.okta.com/help/articles/Knowledge_Article/Google-Apps-Deployment-Guide

     

    JT

    JT Stofer, Sr. Technical Consultant, Okta
    Expand Post

  • Jonathan Winn (Tarmac)

    Hi Tony

     

    We have had the exact same issues when planning rollout to 5000 users.  Google doesn't have the flexibility to opt certain users out - only as JT mentioned via Subnets.  To minimise the impact of the rollout, we asked everyone to pre-register with Okta so that they were all setup with MFA, etc.  This enabled Okta password sync to do its stuff to align the password with AD ahead of the switch on.  At go-live, it was a simple tick in the box in the Google Admin console and update the Okta config to show the icons to the users.  This significantly reduced the imact at go-live.

     

    We have feature requested the ability to exclude certain users from SSO in Google but I doubt it will come anytime soon!

     

    Jonathan
    Expand Post

  • efac2 (efac2)

    Greetings JT and Jonathan,

     

     To JT - I appreicate the reply but your suggestion may not align for my deployment since all users are at the same site/external ip.  

     

    To Jonathan  - I appreicate the reply.  I like the staging and early user education for the pending change.  

     

    This rollout is a bit of a challenge since its a school and scope is for students currently since account managment is always a task.  Teachers are being omitted for now, but naturally both students and teachers are onsite and access the same Google Apps domain from the same site/external ip.

     

    I'm leaning towards SWA so Okta can at least be used, gain comfort/adoption.  Then during a longer break potentially change from SWA to SAML. 

     

    If there are any other comments/suggestions, I'm open to feedback.

     

    Best,

    Tony
    Expand Post
This question is closed.
Loading
Enable SAML for Google Apps for subset of users