Context-Aware Access for SAML apps available in beta
Monday, April 27, 2020
CAA for SAML apps will work for customers that use Google as the primary identity provider (IdP) to enable access to third party apps from pre-integrated SAML apps or custom SAML apps. It’s available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers only. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.
- Only allow access to your CRM app when the user is on the corporate network.
- Only allow access to a cloud storage app if the user has an up to date operating system and an encrypted device.
- Only permit IT admins to access certain tools from a remote location.
- Only permit users in a specific country to access certain apps.
Builds on the CAA for G Suite infrastructure
Controlling CAA for SAML apps will use the same infrastructure and admin console interface as CAA for G Suite. That means you can use any pre-configured access levels, user groups, and end-user messaging for CAA to SAML. Use our Help Center to find out more about managing context aware access in G Suite.
CAA for SAML only enforced at time of sign-in
CAA for SAML apps is only enforced at the time of sign-in. This is different from CAA for G Suite applications, which offers a higher level of control. G Suite applications are built by Google and CAA controls are enabled for continuous evaluation of context (IP, device attribute, etc) during use. As SAML apps are non-Google applications using Google sign-in, we’re only able to evaluate context at the point where a user signs into these applications using Google sign-in. After that sign-in, the context is not evaluated again until the session is terminated and users try to sign-in again with Google.
- Admins: This is an open beta, so the controls will automatically become available to you if you are a G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, or Drive Enterprise customer.
- End users: No end-user impact until turned on by the admin.
- Available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers.
- Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers.