SSO + network mask domains can now force Google password reset on next login
Thursday, May 23, 2019
However, some G Suite admins in domains with a third-party IdP use a network mask to allow some of their users to log in using their G Suite or Cloud Identity credentials. In such deployments, there may be users who sign in using their G Suite credentials. For these users, admins may want to generate a temporary password and then have the user change it on the next login. This update will help admins of domains that use SSO and a network mask to do this.
- Admins: This update will only impact domains with a SAML IdP configured for SSO and a network mask. To check if you have a network mask, go to Admin console > Security > Network masks and see if there’s information defined.
- Admins at domains with SAML IdP configured for SSO and a network mask can turn on the setting in the Admin console (“Require password change”) or via the Admin SDK (“Do Force password change on Next Login”). Once turned on, it will be enforced for that user’s next login. See the sample screenshot below.
- If your domain has SSO but does not have a network mask configured, then there will be no change. The required password change option will show as OFF and you won’t be able to turn it on. See the sample screenshot below.
G Suite Admin SDK documentation for updating user details
- Rapid Release domains: Available immediately
- Scheduled Release domains: Available immediately
G Suite editions
- Available to all G Suite editions
On/off by default?
- The new setting is automatically available depending on whether or not an SSO domain has a network mask configured.
Stay up to date with G Suite launches