The browser extension works in two modes:
- Users must log in to 1Password SaaS Manager.
- Users can be identified by other means.
All possible methods of identifying accounts are enabled when you first turn on the browser extension. You can do this under Settings > Browser extension.
If you want to restrict access so that accounts must explicitly log in to SaaS Manager (option 1, above), turn the Browser identity, authentication links and Windows identity switch off (Settings > Browser extension > User identification).
Forcing users to log in to SaaS Manager can be impractical if you are deploying the extension at any scale, so SaaS Manager offers a number of other ways to identify users:
| Method | Advantages | Disadvantages |
|---|---|---|
| Direct login | Guarantees the activity data is from the user. |
Each user must log in to SaaS Manager on each browser they use, once the extension is installed. SAML2 SSO can help with this as SaaS Manager can provision new user accounts the first time a user logs in. |
| Authentication links |
Simple to deploy - SaaS Manager workflows can send users a link which will prompt them to install the extension if required, and then logs them in automatically. This works especially well for Safari due to the way Safari extensions are installed. |
Users might overlook the email. The link will open in their default browser. To install on other browsers the user would have to cut and paste the link to each one. |
| Browser login |
Chrome and Edge allow users to log in to their browsers using their work Google or Microsoft accounts respectively. You can enforce this when deploying Chrome and Edge. Edge also supports something called ImplicitSignin. The browser extension can detect the email address used and identify the user from this. |
Enforcing this policy will work at best for one browser (Chrome or Edge, depending on whether your organization uses Google Workspace or Microsoft 365). Employees likely use a mixture of Edge, Chrome and Firefox so coverage will be reduced. |
| Browser helper | Once deployed, the user will be identified automatically regardless of whether they use Chrome, Edge or Firefox. | Typically needs centralized deployment via a macOS or Windows endpoint management tool like Intune or JAMF. |
Recommendations
| Mostly Windows | Mostly macOS | |
|---|---|---|
| Google Workspace | Browser helper or Browser login | Browser helper or Browser login |
| Microsoft 365 | Browser helper | Browser helper |
| Other | Browser helper | Browser helper |
If you don't use an endpoint management tool capable of pushing software to users' machines then we recommend Authentication links instead of the Browser helper.
In what order does the browser extension identify users?
The browser extension tries various methods to identify a user. These are followed in a priority order:
- If you are already logged in to SaaS Manager, the extension will recognize this.
- If the Browser helper is installed, then information from this will be used:
- If the operating system user name matches a SaaS Manager person's email (or the first part of the email for one of your domains), e.g.
jane.doeas the OS user would match a person with the emailjane.doe@example.comifexample.comis a domain shown under Settings > Organizations > Domains. - If the device serial number matches a device in SaaS Manager linked to a person.
- If the operating system user name matches a SaaS Manager person's email (or the first part of the email for one of your domains), e.g.
- Authentication links include an encoded identity for a user and if the extension sees one of these it will be used to recognize the user.
- If you are logged in to Chrome or Edge, and if your email address matches a SaaS Manager person, then this will be used.
- If none of the above work, the user will be prompted to log in to SaaS Manager.
Direct login
The extension detects when someone logs in to SaaS Manager in their browser. You can also log in directly from the extension. We recommend using SAML2 SSO if users are logging in since it will automatically create SaaS Manager accounts if needed.
Authentication link
You can add links to emails from SaaS Manager workflows which, when clicked, will guide the user to install the extension (if not yet installed) and then automatically log the user in.
1. Configure a workflow:
2. The user receives the email with a link to get started with the SaaS Manager browser extension.
3. The link prompts them to install the extension (only if it's not yet installed).
4. After they install the extension, a confirmation message is shown.
5. The extension is now automatically linked to their identity.
Browser login
If users are logged in to their browser (e.g. Chrome for Google Workspace, or Edge for Microsoft 365) then SaaS Manager can identify the user. They must be logged in with their work email address, using a domain linked to your SaaS Manager organization.
Google and Microsoft let you define centralized policies for Chrome and Edge to require users to log in.
- Read about Chrome Policy management specifically the BrowserSignin policy.
- Read about Managing browser sign-in for Microsoft Edge specifically ImplicitSignin.
Windows or macOS Browser helper
The Browser helper is deployed to an employee's computer. It reads the user name that they used to log in to Windows or macOS and then passes that through to the SaaS Manager browser extension to identify the user.
As a fallback, it also sends through the device serial number. If this matches a device in SaaS Manager then user will be assumed to be the owner of this device.
This is similar to ImplictSignin on Microsoft Edge, but it works for Chrome, Edge, Firefox.
The Safari browser extension automatically implements this, because Safari extensions are wrapped in a macOS executable.
Read more about deploying the browser helper on Windows or macOS.
Comments
0 comments
Please sign in to leave a comment.