Skip to main content

SecureAuth compatibility with Google Apps ForceAuthn changes

This article discusses SecureAuth compatibility with the recently announced Google Apps "ForceAuthn" changes.


Summary of Changes

Google Apps customers have the option to run their own ID provider and use SAML for authentication. Google acts as a SAML Relying Party in (RP) this case. When sending a SAML authentication request to the ID provider the Relying Party has the option to ask the ID provider to authenticate the user, even if there is an active session and the user could be authenticated passively. This is requested using the ForceAuthn attribute in the request. Currently Google always sends ForceAuthn set to false, it never requests forced authentication.

Google is gradually rolling out a change where it will start setting ForceAuthn to true in some cases. Currently there are two cases when forced authentication will be required:

  1. If the Google Apps session has expired.

  2. If re-authentication is needed.

How it affects SecureAuth IdP

Most of the entities which use SecureAuth IdP to authenticate users to Google Apps Mail, Drive, or Calendar will not be affected by this change from Google.

Which solutions will be affected?

Google Apps administrators who are using SecureAuth IdP to login to either the Dashboard ( or Apps Passwords ( may potentially be affected, if you meet BOTH of the following conditions:

  1. You are running SecureAuth 7.4.3 or before

  2. You have configured a user authentication method like 2-factor or username + password (IWA users are not being affected)

Level of impact

This is not a "stop of business" type impact. Users who need to access Dashboard or Apps Password using SecureAuth IdP 7.4.3 or before will be asked by SecureAuth to authenticate twice. Once the user goes through 2 cycles of authentication, the requested Google resource will be displayed.


The fix (removal of 2 cycles of user authentication) has already been applied to SecureAuth IdP 7.5 and above. SecureAuth 7.5 was on released in May 2014 and is available now. Please contact SecureAuth support at +1 949 777 6959 Option 2 to schedule an upgrade.