As an administrator, you can use single sign-on (SSO) profiles to control how users authenticate when using Password Sync. How you set it up depends on the number of profile assignments.
You're on step 6 of 7
Step 1: Provide instructions about password changes
- Have users contact you or another admin if they need to reset their managed Google Account password.
For details, visit Set up password recovery for users.
- Create an internal webpage with instructions on how users should change their Windows password and not their managed Google Account password.
Step 2: Set user authentication
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityOverview.
- Click Set up single sign-on (SSO) with a third party IdP.
- For Manage SSO profile assignments, go to the SSO profile column.
- If there's only one assignment that relates to SSO profile for organization, go to Option 1 to set authentication by your organization's SSO profile.
- If there are multiple SSO profiles and at least one assignment that relates to None (Users will sign in with Google), go to Option 2 to set authentication by SSO profile assignments.
With this option, users that authenticate with SSO or with their Google credentials are directed to are directed to your internal webpage to change their Windows password.
Option 1: Set authentication by organization's SSO profile
This setting applies to your users even if you don't turn on SSO for your organization.
- Click SSO profile for your organization.
- For Change password URL, enter the URL of the internal webpage that you created in Step 1 to instruct users about changing their Windows password.
- Click Save.
Option 2: Set authentication by SSO profile assignments
- Click Third-party SSO profile for your organization and note any identity provider (IdP) settings.
- Click SSO with third-party IDPsAdd SAML Profile.
- Create a new SAML profile using the IdP settings from step 1.
- For Change password URL, enter the URL of the internal webpage that you created in Step 1 to instruct users about changing their Windows password.
- If there are no additional IdP settings to add, skip the remaining settings.
- Click Save.
- Click Back and change any profile assignments that reference SSO profile for organization to the new SAML profile.
Changes can take up to 24 hours but typically happen more quickly. Learn more
- Click Third-party SSO profile for your organization and uncheck the Set up SSO with third-party identity provider box.
- Click Save.
With this option, even if you have no SSO profiles (SSO profile assignments set to None in the Admin console) and turned off the SSO profile for your organization, your users are directed to your internal webpage to change their Windows password.