For managed ChromeOS devices.
As an admin, you can integrate Chrome Enterprise with third-party identity providers (IdPs) to let users sign in to managed ChromeOS devices by tapping their badge, instead of having to enter their username and password.
What you need
To let third-party IdPs use badge authentication on ChromeOS devices, you need:
- ChromeOS or ChromeOS Flex devices with Chrome OS version 119 or later.
- Chrome Enterprise Upgrade for each device you want to manage.
- Third-party IdP that supports badge-based authentication and admin-level access to configure it. Preferred partners:
- AUTHX (+ rf IDEAS readers)
- Ilex (+ HID readers)
- Badge reader supported by ChromeOS and your chosen third-party IdP. View the list of ChromeOS-supported readers in Verified rf IDEAS badge readers below.
- Organizational units contain Chrome OS devices and user accounts—Devices and users can belong to different organizational units, they do not need to be in the same organizational unit. However, if devices and user accounts belong in organizational units that are not configured in the same way, authentication fails.
- Public Certificate Authority (CA) for the third-party IdP’s domain—On the sign-in screen, ChromeOS trusts the publicly trusted CAs for the web. View the list of currently trusted CA certificates.
Single frequency 125 kHz.
Models starting with:
- RDR-60 = IMP-60 = IMP-NV60
- RDR-62
- RDR-63
- RDR-64
- RDR-67
- RDR-69
- RDR-6C
- RDR-6E
- RDR-6G
- RDR-6H
- RDR-6N
- RDR-6T
- RDR-6Z
Single frequency 13.56 MHz.
Models starting with:
- RDR-70
- RDR-75 = IMP-75 = IMP-NV75
- RDR-7F
- RDR-7L
Dual frequency 125kHz and 13.56MHz.
Models starting with:
- RDR-805 = IMP-80
- RDR-800 = IMP-82
- RDR-305 = IMP-80-BLE
- RDR-300 = IMP-82-BLE
- RDR-80M (currently not configurable via the Imprivata Admin Console)
KSI
- KSI-1700
- KSI-1900
PC/SC readers require additional configuration steps.
- IMP-MFR-75
- HID OMNIKEY 5022
- HID OMNIKEY 5023
- HID OMNIKEY 5025 CL
- HID OMNIKEY 5427 CK
- HID OMNIKEY 5422
How to
We recommend that first you apply settings to a small number of devices and users in a test organizational unit. Then, after you verify that devices are working correctly, you can apply them to your entire organization.
Note: Badge-based authentication into a user session with a super admin account is blocked. In general, super admins can't use SAML SSO for authentication.
Step 1: Install and configure Identity Card Connector extension
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Devices > Chrome > Apps & extensions > Users & browsers.
If you signed up for Chrome Browser Cloud Management, go to Menu
Chrome browser > Apps & extensions > Users & browsers.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Add Identity Card Connector extension:
- Click Add
Add from Chrome Web Store.
- In the search box, enter the extension ID agicampiiinkgdgceoknnjecpoamgigi and click Enter.
- In the list, find and click Identity Card Connector extension.
- Click Select.
- Click Add
- Configure in-session policies. In the side panel that automatically opens when you install Identity Card Connector extension:
- Under Installation policy, select Force install.
- Under Policy for extensions, add or upload the extension policy using valid JSON format. Here is example JSON data that shows how to configure the extension for the main badge authentication flow. For details about the policies you can set, see table below.
- Click Save.
- Configure sign-in screen policies.
- Open the Login screen for apps and extensions page.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- In the list, find Identity Card Connector extension.
- For Installation policy, select Installed.
- In the list, click Identity Card Connector extension. A side panel opens where you can see additional details and configure policies.
- Under Policy for extensions, add or upload the extension policy using valid JSON format. Here is example JSON data that shows how to configure the extension for the main badge authentication flow. For details about the policies you can set, see table below.
- Click Save.
Add from Chrome Web Store.Step 2: Configure Smart Card Connector app or WebHID policies
PC/SC readers: Configure Smart Card Connector app
For Personal Computer Smart Card (PC/SC) readers, such as HID readers, you'll need to install and configure Smart Card Connector app.
-
Go to Menu
If you signed up for Chrome Browser Cloud Management, go to Menu
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Add Smart Card Connector app:
- Click Add
- In the search box, enter the app ID khpfeaanjngmcnplbdlpegiifgpfgdco and click Enter.
- Find and click Smart Card Connector app.
- Click Select.
- Click Add
- Configure in-session policies. In the side panel that automatically opens when you install Smart Card Connector app:
- Under Installation policy, select Force install.
- Under Policy for extensions, add or upload the extension policy using valid JSON format. Here is example JSON data that allowlists Identity Card Connector extension to access Smart Card Connector app.
- Click Save.
- Configure sign-in screen policies:
- Open the Login screen for apps and extensions page.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- In the list, find Smart Card Connector app.
- For Installation policy, click Installed.
- In the list, click Smart Card Connector app. A side panel opens where you can see additional details and configure policies.
- Under Policy for extensions, add or upload the extension policy using valid JSON format. Here is example JSON data that allowlists Identity Card Connector extension to access Smart Card Connector app.
- Click Save.
Non-PC/SC readers: Configure WebHID policies
For non-PC/SC readers, you don’t need the Smart Card Connector app. Instead, you'll need to configure WebHID policies.
Configure the policies with the IdP's URL, such as https://my-idp.local/sso/login, and it will automatically be granted permission to access HID devices with the given vendor and product IDs, such as 0c27:3b1e.
-
Go to Menu
Requires having the Mobile Device Management administrator privilege.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Go to Hardware.
- Click WebHID API allowed devices.
- Add HID devices that can be automatically accessed via the WebHID API. For details about the setting, go to Set Chrome policies for users or browsers.
- Click Save.
-
Go to Menu
Requires having the Mobile Device Management administrator privilege.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Go to Sign-in settings.
- Click WebHID API allowed devices on sign-in screen.
- Add HID devices that can be automatically accessed via the WebHID API on the device's sign-in screen. For details about the setting, go to Set ChromeOS device policies.
- Click Save.
Step 3: Configure SAML SSO for your device
For instructions, go to Configure SAML single sign-on for ChromeOS devices. For badge-based authentication, you don’t need to complete all of the steps that are described in the article:
- Set up SSO—Required.
- Test SSO—Optional.
- Enable SAML SSO cookies—Optional, but recommended. Some users might also have other apps connected to their IdP. Configure SSO cookie behavior so that users are automatically signed into those apps when they use their badge to enter a user session.
- Enable SAML SSO IdP Redirection—Optional, but recommended.
- Control content on the sign-in and lock screens—Optional, but recommended.
- Roll out SAML SSO for devices—Optional. Not required. If you tested SSO, then you’ll need to roll out SAML SSO for all devices. Otherwise, it’s not relevant.
Step 4: (Recommended) Configure device settings
Set the length of time that passes before the online sign-in screen and lock screen automatically refresh. This helps to avoid timeouts of the authentication page and therefore supports uninterrupted badge authentication support.
-
Go to Menu
Requires having the Mobile Device Management administrator privilege.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Go to Sign-in Settings.
- Click Automatic online sign-in / lock screen refresh.
- Set the interval at which the authentication flow automatically reloads on the sign-in page.
For details about the Automatic online sign-in / lock screen refresh setting, go to Set ChromeOS device policies. - Click Save.
Step 5: (Optional, but recommended) Set up device trust connector
Badge-based authentication requests sent from a ChromeOS device to an IdP server need to prove that they originate from a managed device in the correct domain.
To configure a new connector, you’ll need to get the following information from your chosen IdP:
- Which of the available IdP providers to select
- URLs patterns to allow
- An IdP service account email
For a list of third-party IdPs with ChromeOS device trust connector support as well as details about how to set up device trust connectors, go to Manage Chrome Enterprise device trust connectors.
Troubleshoot
View in-session logs on ChromeOS device
- On a ChromeOS device, open Chrome browser and go to chrome://inspect/#pages.
- Find the page you want and click Inspect.
- chrome-extension://agicampiiinkgdgceoknnjecpoamgigi/offscreen/idp_document.html
- On the Console tab, look for logs that come from the IdP. They are mixed with the logs from the extension. Filter by filename to more easily find the logs you’re looking for.
Identity Card Connector extension
The Identity Card Connector extension provides your IdP access to badges. Additionally, it allows to run your IdP permanently in-session on a background page to allow for badge-based locks and sign-outs.
Identity Card Connector extension policies
|
Policy name |
Description |
Example |
|---|---|---|
|
smartCardConnectorExtensionId |
ID of the Smart Card Connector app that the Identity Card Connector extension uses to interact with PC/SC readers. Default value: ID of the production version of the Smart Card Connector app, khpfeaanjngmcnplbdlpegiifgpfgdco. |
"smartCardConnectorExtensionId": { "Value": "khpfeaanjngmcnplbdlpegiifgpfgdco" } |
|
inSessionOffscreenWebpageUrl |
URL of the webpage that opens in an offscreen document to interact with the extension and use WebHID API. Left unset, no offscreen document opens. |
"inSessionOffscreenWebpageUrl": { "Value": "https://my-idp.local/sso/login" } |
|
loginScreenConnectUrlAllowlist |
List of URLs that are allowed to establish a connection and communicate with the Identity Card Connector extension on the sign-in screen. URLs can end with a wildcard * symbol. There can be at most one active connection at once. Smart Card Connector app doesn’t need to be allowlisted because its connection is defined using smartCardConnectorExtensionId policy. |
"loginScreenConnectUrlAllowlist": { "Value": [ "https://my-idp.local/sso/v1/login", "https://my-idp.local/sso/v2/login?*" ] } |
|
inSessionConnectUrlAllowlist |
List of URLs that are allowed to establish a connection and communicate with the Identity Card Connector extension in session, outside of an offscreen document. Webpages and extensions are allowed to connect. URLs can end with a wildcard * symbol. There can be at most one active connection at once. If the inSessionOffscreenWebpageUrl policy is configured, there will be an active connection with the webpage in the offscreen document and this policy will be ignored. Smart Card Connector app doesn’t have to be allowlisted because its connection is defined with smartCardConnectorExtensionId policy. |
"inSessionConnectUrlAllowlist": { "Value": [ "https://my-idp.local/sso/login", "chrome-extension://imkicgecimgmikfilpaffhjkefncgabi/*" ] } |
|
inSessionOffscreenRefreshMinutes |
The number of minutes from when the webpage in an offscreen document is loaded until it has to be refreshed. The refresh happens automatically at the end of the refresh interval whenever the Identity Card Connector and the webpage won't communicate for at least 5 seconds. Default value: 0 minutes (policy is turned off) |
"inSessionOffscreenRefreshMinutes": { "Value": 20 } |
Identity Card Connector JSON examples
Here is an example JSON file that shows how to configure the extension for the main badge authentication flow.
{
"inSessionOffscreenWebpageUrl":{
"Value":"https://my-idp.local/sso/login"
},
"loginScreenConnectUrlAllowlist":{
"Value":[
"https://my-idp.local/sso/v1/login",
"https://my-idp.local/sso/v2/login?*"
]
},
"smartCardConnectorExtensionId":{
"Value":"khpfeaanjngmcnplbdlpegiifgpfgdco"
}
}
Here is an example JSON file that allowlists Identity Card Connector extension to access Smart Card Connector app.
{
"force_allowed_client_app_ids":{
"Value":[
"agicampiiinkgdgceoknnjecpoamgigi"
]
},
"scard_disconnect_fallback_client_app_ids":{
"Value":[
"agicampiiinkgdgceoknnjecpoamgigi"
]
}
}
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.