Best practices for third-party IdP and Google Workspace configuration

As an admin, you can use these security best practices when integrating Google Workspace with third-party identity providers (IdPs) to connect to Security Assertion Markup Language (SAML) applications.

Best practices for your third-party IdP configuration

• Maintain good password policies, and enforce strong passwords.
• Implement 2-Step Verification (2SV). Google 2SV doesn't integrate with third-party identity providers (IdPs), so implement 2SV on the IdP side.
• Recommend security keys where possible, and recommend mobile-app based solutions over text messages.

Best practices for your Google Workspace configuration

• Disable user access to less secure apps. See Control access to less secure apps. By design, Internet Message Access Protocol (IMAP) and Simple Mail Transfer Protocol (SMTP) don’t offer the level of security that the Google web and OAuth login flows do.
• Disable Post Office Protocol (POP) or Internet Message Access Protocol (IMAP) access. See Turn POP and IMAP off for users.
  • If users have IMAP, POP, or SMTP clients, they should support the OAuth 2.0 mechanism.
  • If users have Microsoft Outlook, they should use Google Workspace Sync for Microsoft Outlook.
• Maintain strong passwords for Google Workspace accounts. These passwords are less likely to be used, so they may represent an attack surface. See Manage your users password settings.

Best practices for your user devices

• Practice good cookie management. Google uses cookies to establish the relationship of a user to a device. Clear cookies or log out only when the device can no longer be associated with that user.
• Use Google mobile apps. In addition to providing the best user experience, these apps offer security protections.
• Update to the latest operating system version and security patches. To ensure the best protection for your users' mobile devices, tell them to accept the latest updates and security patches.