Session length controls for domains using SAML
What’s new: In March, we introduced a setting that allows G Suite Business, Enterprise, and Education admins to specify the duration of web sessions for Google services (e.g. four hours, seven days, or infinite). At the time, this setting only applied to domains where Google was responsible for the login (i.e. where Google was the Identity Provider). We’re now extending the reach of this setting and making it applicable in domains that federate to another Identity Provider (IdP) using SAML.
Note that these settings apply to all desktop web sessions, as well as some mobile browser sessions. Native mobile apps, like Gmail for Android and iOS, aren’t impacted by these settings.
Removing session-based cookies on May 7th, 2018
In the past, in order to give more control over session lengths to a G Suite customer’s preferred IdP, we set cookies for sessions created by federating to another IdP via SAML as transient, or session-based. These cookies were intended to expire whenever the browser was closed, meaning the user would be redirected to their primary IdP whenever they reopened the browser and visited a Google site.
Over time, however, this behavior has become increasingly inconsistent across browsers. We believe that G Suite admins are better served by explicit session length controls, like the ones we just launched. Unlike session cookies, these controls are respected regardless of the user’s browser.
With this in mind, we’ll be removing session-based cookies for G Suite customers who federate to another IdP via SAML on May 7th, 2018. Please consider setting a custom session length for your organization if your workflows depend on it.
Replicating previous behavior
If it’s critical to replicate the previous behavior, where all sessions expired when a browser was closed, you can change the browser settings on impacted machines to delete all local data when the browser is exited. Instructions to configure this on Chrome can be found here. To deploy this policy on multiple machines, use Chrome policies to configure ephemeral mode.