Using Chrome device signals
The adapter looks for a specific request header to determine if the request is originating from a Google Chrome Enterprise managed browser to initiate its flow to retrieve device signals from the browser.
For requests originating from non-Chrome browsers, Chrome browsers that are not managed, or a Chrome incognito window, the adapter returns immediately with SUCCESS
as the status with only one core contract attribute, deviceTrustEnabled, set to false.
The authentication policy should typically use the deviceTrustEnabled contract attribute to make decisions related to stepping authentication flow with multi-factor authentication (MFA).
For requests originating from managed Chrome browsers, the adapter initiates the flow as described in Overview of the SSO flow to retrieve device signals. The adapter completes the flow successfully if the request originates from a managed browser and the adapter can retrieve device signals for the account it is configured to work with Google Cloud Platform. Depending on the availability of the attribute in the device signals, the adapter fulfills several core contract attributes such as:
-
browserVersion
-
displayName
-
hostname
-
macAddresses
-
operatingSystem
The core contract attribute deviceTrustEnabled is always set to true after a successful flow.
If a request originates from a managed browser that does not correspond to the account setup in the adapter, the adapter fails to retrieve device signals, and the adapter fails the authentication flow completely. Runtime errors, such as network errors invoking Google APIs resulting in timeouts, and other unexpected errors also cause the adapter to fail the authentication flow.
You can configure the authentication policy to handle these cases. For example, the following policy configuration shows a typical use case where a request coming from a trusted device undergoes only HTML form adapter authentication, and a request coming from an untrustworthy device undergoes HTML form adapter authentication as the first factor, followed by MFA authentication as the second factor.