HelpDesk
sign in

Configure Chromebook single sign-on

Creation date: 5/29/2026 1:36 PM    Updated: 5/29/2026 1:36 PM   chromebook single sign-on
Print...

You can configure Chromebook SSO so that users are signed in to Sophos Firewall when they sign in to their Chromebooks. When users authenticate with the domain configured in Google Workspace, the firewall shows them on the Live users page.

Requirements

To use Chromebook SSO, your environment must meet the following requirements:

  • You must configure an Active Directory or LDAP authentication server in your firewall. See the following pages:

  • Chromebooks must connect to the network secured by Sophos Firewall.

  • Chromebook users must have email addresses that use the domain registered with Google Workspace. For example, if your registered domain is example.com, Chromebook users must have a user@example.com email address.

  • Create or import a valid certificate for encrypted communication with the Chromebooks. The certificate must meet the following requirements:

    • The CN must match the zone or network where the Chromebook users are, for example, gateway.example.com.
    • The certificate must not be protected by a passphrase.

  • Create an FQDN host entry for accounts.google.com. See Add an FQDN host.

Configure Sophos Firewall

To configure your firewall for Chromebook SSO, you must allow device access for the Chromebooks, turn on Chromebook SSO authentication, and create firewall rules to allow communication between the Chromebooks and Google Workspace. Do as follows:

Device access

  1. Go to Administration > Device access.
  2. Select Chromebook SSO for the zones from which the Chromebook users will connect, such as LAN and Wi-Fi.

Chromebook SSO authentication

  1. Go to Authentication > Services > Chromebook SSO.

  2. Click Enable and enter the following settings:

    • Domain: The Google Workspace domain. This is the domain suffix of the email addresses used in Google Workspace, for example, example.com.
    • Port: 65123.
    • Certificate: The certificate for encrypted communication with the Chromebooks.

  3. Click Download G Suite app config to download a JSON file, which you'll need to upload to Google Workspace.

  4. Open the file with a text editor and enter your firewall's LAN or DNS IP address for serverAddress. The server address must match the certificate's CN, for example, 10.1.1.1.
  5. Save your changes. You'll need this file to configure the Sophos Chromebook user ID app in Google Workspace.

Firewall rules

  1. Go to Rules and policies > Firewall rules.

  2. Create a firewall rule to allow Google API and Chrome Web Store communication for all devices. This rule is necessary to push the app to Chromebooks. Enter the following settings:

    • Action: Accept.
    • Source zones: The zones the Chromebooks connect from, such as LAN and Wi-Fi.
    • Source networks: Select your Chromebooks' networks, or select Any.
    • Destination zones: The zones you want the Chromebooks to communicate with, such as WAN.
    • Destination networks: Select the FQDN host you created for accounts.google.com and the predefined FQDN host groups Google API Hosts and Google Chrome Web Store.

  3. Create another firewall rule to allow internet access to Chromebooks by matching known users and showing the captive portal to unknown users. Enter the following settings:

    • Action: Accept.
    • Source zones: The zones the Chromebooks connect from, such as LAN and Wi-Fi.
    • Source networks: Select your Chromebooks' networks, or select Any.
    • Destination zones: The zones you want the Chromebooks to communicate with, such as WAN.
    • Destination networks: Select Any or choose the specific networks you want the Chromebooks to communicate with.
    • Match known users: Selected.
    • Use web authentication for unknown users: Selected.

    Note

    You must position this rule below the rule that allows Google API and Chrome Web Store communication.

Configure Google Workspace

Warning

This information was correct at the time of writing. We recommend you review the Google documentation to make sure you're following the current steps. See View and configure apps and extensions.

You must configure the Sophos Chromebook user ID app in Google Workspace for communication and authentication with your firewall. Do as follows:

  1. Sign in to Google Workspace.
  2. Go to Devices > Chrome > Apps and extensions > Users and browsers.
  3. Click Add, then click Add from Chrome Web Store.
  4. Search for the Sophos Chromebook user ID app and click Select.

  5. Under Installation policy, select one of the following options:

    • Force install: Automatically installs the app on all Chromebooks configured for your domain and prevents users from removing it.
    • Force install + pin to browser toolbar: Automatically installs the app, prevents users from removing it, and displays it on the Chromebook toolbar after installation.

  6. Under Policy for extensions, click Upload, select the JSON configuration file, and click Open to upload it to Google Workspace.

  7. Click Save.

Trusted API admin permission

To prevent OAUTH from failing, you must add trusted API admin permission to the Sophos User ID app as follows:

  1. In Google Workspace, go to Security > Access and data control > API controls.
  2. Under App access control, click Manage app access.
  3. Under Accessed apps, click View list.
  4. Search for Sophos User ID and click Change access.
  5. Choose the Scope. You can select the entire organization, or specific OUs.
  6. Click Next.
  7. Select Trusted.
  8. Click Next.
  9. Click Change access.

Install CA certificate for proxy and app communication

If you use a locally-signed certificate for Sophos Firewall, you must upload the corresponding CA certificate to Google Workspace for proxy and app communication to work.

  1. Sign in to your firewall.
  2. Go to Certificates > Certificate authorities.
  3. Click Download for the certificate authority you want to download. The firewall signs Locally-signed certificates using the CA Default.
  4. Extract the pem file from the downloaded .tar.gz file to the location of your choice.
  5. Sign in to Google Workspace.
  6. Go to Devices > Networks > Certificates.
  7. Click Upload certificate
  8. Click Upload, select the pem file you downloaded from Sophos Firewall, and click Open.
  9. Under Certificate authority, select Enabled for Chromebook.
  10. Click Add.

Configure your Chromebooks

If you didn't force the Sophos Chromebook user ID app installation, you must configure your Chromebooks by installing it from the Chrome Web Store.


https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigureChromebookSSO/index.html#configure-your-chromebooks

Get help for this page