What’s changing for all G Suite customers





Additional changes for customers not using a third-party SSO provider

Additional changes for customers using a third-party SSO provider when accessing third-party applications that use OAuth

not

third-party

-- Frequently Asked Questions --

when G Suite users are accessing Google applications such as Gmail, Calendar, Drive, etc.

if you don’t use a third-party SSO provider.

G Suite users will simply be required to confirm the G Suite account that they would like to use before being redirected to the third-party SSO provider, as illustrated in the post above.

If the third-party application has set the hosted domain (“hd”) parameter, the user will be redirected to the third-party SSO provider and the account selection page will be shown with the G Suite account that is returned.

If the third-party application has not set the "hd" parameter, the user must enter the account they would like to use prior to being redirected to the third-party SSO provider.

We previously announced that a new Google Accounts login page, aimed at giving users an improved experience to sign in to their accounts across devices, would start slowly rolling out on April 5, 2017.Based on customer feedback, we’ve decided to push the start of that rollout back to April 10, 2017, so we can further clarify how this change will impact G Suite customers.The Google Accounts login page will have a new look and feel, consistent across computers, phones, and tablets. The rollout will start with a small set of users on April 10 and ramp up slowly over the course of several weeks.In addition to the design changes described above, the new Google Accounts login page will also remove the “Stay signed in” checkbox that at certain times appeared for G Suite customers who did not use a third-party SSO provider.We learned that users didn’t fully understand the implications of interacting with the "Stay signed in" checkbox across all browsers. To mitigate confusion, we're removing the checkbox and users will remain signed in unless they specifically sign out. When using shared or public devices, we recommend using private browsing windows If you’re using a third-party SSO provider to access Google applications, such as Gmail, Calendar, Drive, etc., your G Suite users willsee any differences apart from the newly designed Google Accounts login page described above.If you’re using a third-party SSO provider to accessapplications, your G Suite users will see an additional account selection page when they log in. This page will make it clear to them which account they’re authenticating, as well as the permissions they’re granting to applications.Your G Suite users will be shown the account selection page either before or after being redirected to the third-party application, depending on whether they’re signed in to their browser and the specific third-party application they’re accessing. Please refer to the FAQ below for more details on when the account selection page will be shown.Additional questions are addressed in the FAQ below.If you’re a G Suite customer whose identity provider is Google, the only change you’ll see is the redesigned Google Accounts login page.All third-party SSO providers, including Active Directory Federation Services (ADFS) SSO, will use this new Google Accounts login flow.The account selection page will not be shown in either of these cases:For customers using third-party SSO providers and accessing third-party applications, the account selection page will be shown in the situations below.For more details on the “hd” parameter, please refer to the Google Developers Blog post or reference the developer documentation directly.After being prompted to confirm the correct Google account and granting the requested permissions upon initial login, only the account selection page will be shown again upon subsequent login attempts.SAML is an authentication-only protocol, and SAML apps do not ask for “extra permissions” from the user. If you have third-party SAML-based applications so that your users can use their G Suite credentials to sign in to enterprise cloud applications like Salesforce, Concur, and Zendesk, the only change resulting from this launch will be that the new account selection screen will be shown.G Suite accounts can be removed from the account selection page by clicking the “Remove an account” link.Yes, newer versions of all supported browsers will have this change applied, including Chrome, Firefox, IE, Edge, Safari, and Opera.Users of older browsers or those browsers that do not have JavaScript enabled will temporarily continue to see the old Google Accounts login page.The rollout will start on Monday, April 10, to a small set of users. It will ramp up slowly over the course of several weeks.