How to Enable Single Sign-On (SSO) for Google Chrome Using Intune

By /
Comprehensive Guide: Enabling Single Sign-On for Chrome via Intune

Single Sign-On (SSO) in Chrome lets users access corporate web apps without repeated login prompts. Deploying Chrome SSO with Intune centralizes control and improves both security and user experience. This guide covers background, detailed configuration steps, and troubleshooting.

Background and Benefits

When devices are Azure AD joined or hybrid-joined, Windows holds a user’s authentication token. Chrome can leverage that token—via integrated Windows authentication (IWA) and whitelisted URLs—to silently sign users into internal and cloud applications. Benefits include:

  • Seamless access: Users open web apps without entering credentials again.
  • Stronger security: Enforces corporate authentication flows and conditional-access policies.
  • Simplified management: Central policy deployment via Intune across all managed Windows devices.

Prerequisites

  1. Device enrollment
    • Windows 10/11 machines must be Azure AD joined or hybrid-joined with Intune.
  2. Licensing
    • Azure AD Premium P1 or P2 (for Conditional Access)
    • Microsoft Intune license
  3. Chrome Enterprise package
    • Use the Enterprise MSI installer from Google (drop consumer builds).
  4. Access to ADMX templates
    • Download the latest Google Chrome policy templates (chrome.admx, google.admx).

Step 1: Import Chrome ADMX Templates into Intune

  1. In the Intune portal, navigate to Devices > Configuration profiles.
  2. Click Create profile > Windows 10 and later > Templates > Administrative Templates.
  3. Under Custom ADMX, upload both chrome.admx and its supporting files:
    • Download from Google’s enterprise bundle.
    • In the profile settings pane, choose Import and select each ADMX and ADML file.
  4. Save the profile (you’ll edit it next).

Within the Administrative Templates profile you just created:

  1. Enable Integrated Windows Authentication
    • Locate Microsoft Edge-like setting in Chrome: Enable Integrated Windows Authentication.
    • Set to Enabled.
  2. AuthServerWhitelist
    • Policy path: Google > Google Chrome > AuthServerWhitelist.
    • Enter a comma-separated list of host patterns: texthttps://login.microsoftonline.com,https://*.contoso.com
    • This tells Chrome which sites can use IWA.
  3. AuthNegotiateDelegateWhitelist (for Kerberos delegation)
    • Path: Google > Google Chrome > AuthNegotiateDelegateWhitelist.
    • Enter SPN-formatted URLs if you need Chrome to forward Kerberos tickets to on-prem services: textHTTP/appservice.contoso.com,HTTP/fileserver.contoso.local
  4. AuthSchemes (optional)
    • Path: Google > Google Chrome > AuthSchemes.
    • Ensure it includes negotiate to allow Kerberos and NTLM: textnegotiate,ntlm

Click Review + save after configuring each setting.

Step 3: Deploy Chrome Enterprise via Intune

  1. In the Intune portal, go to Apps > Windows > Add.
  2. Choose Line-of-business app.
  3. Upload the Chrome Enterprise MSI.
  4. Configure installation behavior:
    • Install context: System
    • Restart behavior: Suppress if possible
  5. Assign the app to the same Azure AD groups you’ll target for SSO.
  6. Click Review + create.

Once deployed, devices will install Chrome on next sync or at next reboot.

Step 4: Assign the Configuration Profile

  1. Return to Devices > Configuration profiles.
  2. Select your Chrome Administrative Templates profile.
  3. Go to Assignments.
  4. Target the same user or device groups as your Chrome app deployment.
  5. Save and exit.
  6. On each device, run Sync in Settings > Accounts > Access work or school > Connected to <YourTenant> > Info > Sync.

Step 5: Client-Side Verification

After policy sync, verify on a test machine:

  1. chrome://policy
    • Open Chrome and navigate to chrome://policy.
    • Confirm that AuthServerWhitelist, AuthNegotiateDelegateWhitelist, and EnableIntegratedWindowsAuth appear with correct values.
  2. Access a protected site
    • Navigate to an internal site under your whitelist (e.g., https://intranet.contoso.com).
    • Chrome should sign you in automatically without a prompt.
  3. Browser logs
    • In Windows Event Viewer under Applications and Services Logs > Microsoft > EnterpriseCloudAuthentication, look for login events.
    • Check Chrome’s debug logs by launching with --log-net-log=netlog.json.

Troubleshooting Tips

  • Missing Policies
    • Ensure devices are Intune-joined and policy sync succeeded.
    • Check Azure AD group membership and profile assignments.
  • Auth Failures
    • Verify your whitelist entries exactly match the URL scheme and hostname.
    • Confirm time synchronization between client and domain controller.
  • Kerberos Issues
    • Validate SPNs in Active Directory: textsetspn -L <service-account>
    • Ensure delegation is enabled on the service account.
  • Policy Conflicts
    • If you use GPOs, run gpresult /H report.html to detect on-prem policy overrides.
    • Consider disabling the same settings via GPO to avoid conflicts.

Conclusion

By importing Chrome ADMX templates into Intune, configuring Integrated Windows Authentication and whitelist policies, and deploying Chrome Enterprise via a line-of-business app, you can enable seamless SSO across your Windows fleet. Testing via chrome://policy and Event Viewer ensures policies are applied correctly. This setup enhances security, simplifies access, and improves user productivity.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top