Single sign-on for super administrators is only supported if you use the legacy SSO profile, and only in some cases (see below). It's not supported by the newer SSO profiles.
Allowing SSO by super admins has both benefits and risks. Having all users (including admins) authenticate via SSO minimizes the surface area in which user credentials are managed. But if your IdP is compromised, a third party can then access the Google Admin console and every aspect of your organization's account.
To reduce this risk, if you enable SSO for super admins, we recommend you also enable 2-Step Verification for super admins at both your IdP and with Google.
How to disable super admin SSO
To disable super Admin SSO, use the newer SSO Profiles. To migrate from the legacy SSO profile to SSO profiles, follow these instructions.
When super admins can sign in with SSO
If you're using the legacy SSO profile, super admins can sign in with SSO in these cases:
- The Domain-specific Service URLs setting is set to automatically redirect users to the third-party IdP.
- When the super administrator sign-in is initiated by the IdP (IdP-initiated SSO).
- If a super administrator initially signs in to Google using a non-super administrator account and then provides their super administrator credentials when redirected to the IdP. In this case, Google will accept the super admin identity assertion from the IdP.
When super admins can't sign in with SSO
Even when using the legacy SSO profile, super admins can't sign in with SSO in these cases:
Admin console
When super administrators try to sign in to an SSO-enabled domain via admin.google.com, they must enter their full Google administrator account email address and associated Google password (not their SSO username and password), and click Sign in to directly access the Admin console. Google doesn't redirect them to the SSO sign-in page.
Google Drive synchronization client
When super administrators sign in to the Google Drive synchronization client, they bypass SSO—Google does not redirect them to the SSO sign-in page. This applies to sign-in attempts from browsers, mobile apps (such as the iOS Drive and Gmail apps), the Android account activation flow, and so forth.
