New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 795149 link

Starred by 1 user
Status: Assigned
Owner:
georgesak@chromium.org
Cc:
rogerta@chromium.org
chromeos-se@google.com
zmin@chromium.org
georgesak@chromium.org
c...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Feature



Sign in to add a comment

[FR] Enforced Chrome Sign-In with integrated Windows AD userID pass-through

Project Member Reported by c...@chromium.org, Dec 15 2017 
Description:  Enhancement to initial FR: https://bugs.chromium.org/p/chromium/issues/detail?id=175880.

Use case: With enforced chrome sign-in policy in place and new FR for integrated Windows AD UserID pass-through, a user authenticates into his/her Microsoft Windows device and will automatically be authenticated into Chrome Browser.  Requires no additional prompting for userID and/or password.  The desired result is a fully managed Windows endpoint whereby a user has to login once and identity is leveraged seamlessly into Chrome Browser.  Also the user should NOT have the ability to logout (remove logout browser option).

Motivation:  Provide a clean cloud worker user experience.

Existing workarounds:  Enforced Chrome Sign-in requires (1) the user to first sign-in to their windows environment and (2) enter (cache) credentials into Chrome Browser.  This requires a multi-step process.  Identity should be leveraged from the initial login into the Windows end-point.

Comment 1 by blumberg@chromium.org, Dec 27 2017

Cc: zmin@chromium.org georgesak@chromium.org
Status: Available (was: Untriaged)
Hi Owen,

Can you take a look at this when you have a chance?    Adding a new option to the policy for forced sign-in that allows pass-through of the current logged in windows user seems like a slick use-case for forced sign-in.

WDYT?

Comment 2 by zmin@chromium.org, Dec 28 2017 

I think this FR makes sense. In order to that, we need to implement:
1) Create a shadow account for Windows AD userID.
2) Create a primary profile for Chrome.
3) Signin to the primary profile automatically.

For the new primary profile concept,
a) Are the policies of primary profile applied to other profiles?
b) Is deleting the primary profile forbidden?
c) Are there any other features we want to create based on the primary profile?

I think we could reuse some code from ChromeOS for 1) and 3) while 2) might be complicated
depends on the answers of three questions above.

Comment 3 by georgesak@chromium.org, Jan 8 2018

Cc: rogerta@chromium.org
+rogerta

This is something we'll look into down the line, but not immediately.

Comment 4 by blumberg@chromium.org, Jan 8 2018

Cc: -rogerta@chromium.org c...@chromium.org
Chester, to clarify: C#2 is mentioning a larger undertaking to create shadow accounts for non-gsuite customers.

I may be off base, but IIUC, your request here for existing mapping of AD + GSuite users accounts.

eg, matt@company.com is my AD account or matt@corp.company.com is what I log into windows/AD and my gsuite account is matt@company.com. Is it correct to assume you want a policy to map the current windows/AD user to the gsuite account (eg, map 1:1  *@company.com  (AD) to *@company.com (GSUITE) )  OR (map *@corp.company.com (AD) to *@company.com (GSuite)?

Comment 5 by blumberg@chromium.org, Jan 8 2018

Cc: rogerta@chromium.org

Comment 6 by blumberg@chromium.org, Apr 13 2018

Owner: georgesak@chromium.org

Comment 7 by benhenry@chromium.org, Aug 1

Status: Assigned (was: Available)

Sign in to add a comment