Build a Chrome SSO Extension (2026)
Enterprise single sign-on (SSO) integration with Chrome extensions represents a critical capability for organizations managing multiple SaaS applications. This guide walks through the technical implementation of Chrome SSO extensions, covering authentication protocols, session management, and practical deployment strategies for development teams.
Understanding Enterprise SSO Requirements
Modern enterprises typically run dozens of SaaS applications, each requiring separate authentication. Chrome extensions that handle SSO must support multiple identity providers (IdPs) while maintaining security compliance. The most common protocols you’ll encounter are SAML 2.0, OAuth 2.0, and OpenID Connect (OIDC).
For Chrome extensions, the authentication flow typically involves:
- Detecting unauthenticated requests to enterprise domains
- Redirecting to the configured identity provider
- Handling the token or assertion response
- Injecting session credentials into browser requests
Understanding which protocol your organization uses shapes the entire architecture of your extension. SAML dominates in legacy enterprise environments and large corporations with on-premises Active Directory. OAuth 2.0 and OIDC are the standard for modern cloud-native SaaS tools. Many enterprises run a hybrid, with older internal tools still relying on SAML while newer applications use OIDC through a provider like Okta or Azure AD.
Protocol Comparison Table
| Protocol | Token Format | Best For | Chrome Extension Complexity |
|---|---|---|---|
| SAML 2.0 | XML assertion | Legacy enterprise, AD-integrated apps | High. requires XML parsing |
| OAuth 2.0 | Opaque token | API access delegation | Medium. standard flow |
| OIDC | JWT (id_token) | Modern apps, user identity | Low-Medium. well-supported |
Knowing your protocol upfront saves significant debugging time. SAML in particular requires your content scripts to intercept and auto-submit HTML forms, which is a meaningfully different implementation path than OIDC token exchange.
Architecture Patterns for Chrome SSO Extensions
Manifest V3 Implementation
Modern Chrome extensions use Manifest V3, which requires service workers for background processing. Here’s a practical structure for your extension’s authentication module:
// background/auth-manager.js
class EnterpriseAuthManager {
constructor(config) {
this.idpConfig = config.idp;
this.sessionStore = new SessionStore();
}
async handleAuthRequest(details) {
const domain = new URL(details.url).hostname;
const session = await this.sessionStore.get(domain);
if (session && !this.isSessionExpired(session)) {
return this.injectCredentials(details, session);
}
return this.initiateSSOFlow(domain, details.tabId);
}
async initiateSSOFlow(domain, tabId) {
const idpUrl = this.buildAuthUrl(domain);
await chrome.tabs.update(tabId, { url: idpUrl });
return { cancel: true };
}
buildAuthUrl(domain) {
const clientId = this.idpConfig.clientId;
const redirectUri = chrome.identity.getRedirectURL();
const authUrl = new URL(this.idpConfig.authorizationEndpoint);
authUrl.searchParams.set('client_id', clientId);
authUrl.searchParams.set('redirect_uri', redirectUri);
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'openid profile email');
authUrl.searchParams.set('state', this.generateState(domain));
return authUrl.toString();
}
}
One critical Manifest V3 gotcha: service workers terminate after a short idle period. If your SSO flow involves multi-step redirects that take longer than a few seconds, you need to keep the service worker alive using chrome.alarms or by persisting state to chrome.storage before each async step. Don’t assume the service worker will survive the full OAuth round trip.
Managing Multiple Identity Providers
Enterprise environments often use different IdPs for different application suites. A solid extension handles this through domain-to-IdP mapping:
// config/domain-mapping.json
{
"domainMappings": {
"*.google.com": {
"idp": "google-workspace",
"protocol": "oauth2"
},
"*.okta.com": {
"idp": "okta",
"protocol": "saml"
},
"*.azure.com": {
"idp": "azure-ad",
"protocol": "oidc"
}
}
}
This configuration allows your extension to route authentication requests to the appropriate provider based on the target domain.
For larger organizations with hundreds of internal domains, consider fetching this mapping from a centrally managed endpoint rather than baking it into the extension bundle. This lets your security team update the IdP routing without requiring users to update the extension.
async function fetchDomainMappings() {
const res = await fetch('https://internal.example.com/sso/domain-map.json', {
headers: { 'Authorization': `Bearer ${await getServiceToken()}` }
});
const data = await res.json();
await chrome.storage.local.set({ domainMappings: data });
}
Schedule this fetch on extension startup and periodically via chrome.alarms to keep routing fresh.
Session Management Strategies
Effective session management balances security with user experience. Chrome extensions should implement token refresh logic and secure storage.
Token Storage with chrome.storage
Never store tokens in localStorage or chrome.storage.local without encryption. Use chrome.storage.session for sensitive tokens that should clear when the browser closes:
// background/token-manager.js
class TokenManager {
constructor(encryptionKey) {
this.encryptionKey = encryptionKey;
}
async storeTokens(domain, tokens) {
const encrypted = await this.encrypt({
accessToken: tokens.access_token,
refreshToken: tokens.refresh_token,
expiresAt: Date.now() + (tokens.expires_in * 1000)
});
await chrome.storage.session.set({ [domain]: encrypted });
}
async getValidToken(domain) {
const stored = await chrome.storage.session.get(domain);
if (!stored[domain]) return null;
const tokens = await this.decrypt(stored[domain]);
if (this.isTokenExpired(tokens)) {
return this.refreshToken(domain, tokens.refreshToken);
}
return tokens.accessToken;
}
isTokenExpired(tokens) {
return Date.now() >= tokens.expiresAt - 60000; // 60s buffer
}
}
Implementing Silent Token Refresh
For a smooth user experience, implement background token refresh before tokens expire. Proactive refresh avoids users hitting authentication walls mid-session:
async function scheduleTokenRefresh(domain, expiresAt) {
const refreshAt = expiresAt - 120000; // 2 minutes before expiry
const delay = Math.max(refreshAt - Date.now(), 0);
setTimeout(async () => {
const tokenManager = new TokenManager(await getEncryptionKey());
await tokenManager.refreshToken(domain);
}, delay);
}
This is particularly valuable for enterprise users running long-lived sessions across multiple SaaS tools throughout the day.
Handling SAML Assertions
SAML remains prevalent in enterprise environments. Chrome extensions can handle SAML authentication using a combination of content scripts and background processing:
// content-scripts/saml-handler.js
function extractSAMLResponse(form) {
const samlResponseInput = form.querySelector('input[name="SAMLResponse"]');
if (!samlResponseInput) return null;
return samlResponseInput.value;
}
function injectAutoSubmitForm(samlResponse, assertionConsumerUrl) {
const form = document.createElement('form');
form.method = 'POST';
form.action = assertionConsumerUrl;
const input = document.createElement('input');
input.type = 'hidden';
input.name = 'SAMLResponse';
input.value = samlResponse;
form.appendChild(input);
document.body.appendChild(form);
form.submit();
}
// Listen for messages from background script
chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
if (message.type === 'SAML_RESPONSE') {
injectAutoSubmitForm(message.samlResponse, message.acsUrl);
}
});
A common SAML pitfall in Chrome extensions: the IdP often redirects back to the SP’s Assertion Consumer Service URL, which your extension’s declarativeNetRequest rules might inadvertently intercept again. Add your ACS URLs to an explicit passthrough allowlist in your request filter rules so you don’t create an infinite redirect loop.
Security Considerations
When implementing Chrome SSO extensions for enterprise use, prioritize these security measures:
Certificate Pinning: Verify that your IdP’s TLS certificates match expected fingerprints before accepting authentication responses.
State Parameter Validation: Always validate the state parameter returned in OAuth/OIDC flows to prevent CSRF attacks:
async function validateState(state, domain) {
const storedState = await chrome.storage.session.get(`state_${domain}`);
if (storedState[`state_${domain}`] !== state) {
throw new Error('State parameter mismatch - possible CSRF attack');
}
await chrome.storage.session.remove(`state_${domain}`);
}
Content Security Policy: Your extension’s manifest should restrict script sources to prevent injection attacks. Avoid using unsafe-eval and only permit scripts from your trusted domains.
Minimal Permission Scope: Request only the OAuth scopes your extension genuinely requires. Many enterprise SSO implementations get approved based on security reviews, and scope creep is a common rejection point. Start with openid profile email and add application-specific scopes only when needed.
Audit Logging: Enterprise security teams often require audit trails. Log authentication events. logins, token refreshes, failures. to a centralized endpoint so the security team can monitor for anomalies:
async function logAuthEvent(event) {
await fetch('https://internal.example.com/sso/audit', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
timestamp: new Date().toISOString(),
userId: event.userId,
domain: event.domain,
action: event.action,
result: event.result
})
});
}
Deployment and Distribution
Enterprise Chrome extension distribution typically uses one of three methods:
- Chrome Enterprise: Deploy through Google Admin Console with forced installation
- Chromebook Management: Configure extensions for managed Chrome OS devices
- Group Policy: Use Chrome policies for Windows AD-managed devices
For development teams building internal extensions, consider implementing update checks that point to your internal servers rather than the Chrome Web Store. This allows controlled rollouts and emergency rollbacks.
Using the update_url manifest field with an internal XML update manifest keeps your extension off the public Chrome Web Store entirely, which many enterprise security teams require:
{
"update_url": "https://internal.example.com/extensions/updates.xml"
}
The update manifest XML format is straightforward and well-documented by Google. Hosting it internally means you control exactly when and to which devices updates are pushed, which is essential for passing change management processes.
Practical Example: Okta Integration
Here’s a complete flow for integrating with Okta as your identity provider:
// background/okta-integration.js
class OktaSSOExtension {
constructor() {
this.oktaDomain = 'your-domain.okta.com';
this.clientId = 'your-client-id';
}
getAuthorizationUrl() {
const redirectUri = chrome.identity.getRedirectURL();
const params = new URLSearchParams({
client_id: this.clientId,
response_type: 'code',
scope: 'openid profile email groups',
redirect_uri: redirectUri,
state: this.generateSecureState()
});
return `https://${this.oktaDomain}/oauth2/v1/authorize?${params}`;
}
async exchangeCodeForTokens(code) {
const response = await fetch(`https://${this.oktaDomain}/oauth2/v1/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
grant_type: 'authorization_code',
code: code,
redirect_uri: chrome.identity.getRedirectURL(),
client_id: this.clientId
})
});
return response.json();
}
}
When registering this extension in the Okta Admin Console, set the redirect URI to the value returned by chrome.identity.getRedirectURL(). it follows the format https://<extension-id>.chromiumapp.org/. Many teams waste hours debugging 400 errors because the registered redirect URI in Okta doesn’t match exactly, including trailing slashes.
Testing Your Enterprise SSO Extension
Testing SSO flows end-to-end requires a few setup steps that are easy to overlook. Use a dedicated test tenant with your IdP rather than production credentials during development. Most enterprise IdPs offer developer sandboxes.
For automated testing, the Playwright chromium.launchPersistentContext method lets you load your unpacked extension and drive authentication flows in headless mode:
const { chromium } = require('playwright');
const context = await chromium.launchPersistentContext('/tmp/test-profile', {
headless: false,
args: [
'--disable-extensions-except=/path/to/your/extension',
'--load-extension=/path/to/your/extension'
]
});
This approach lets you write integration tests that simulate the full browser SSO flow without mocking out critical authentication steps, giving you confidence that the extension behaves correctly in the actual enterprise environment.
Chrome SSO extension implementation requires careful attention to authentication protocols, secure token management, and enterprise deployment requirements. By following the patterns in this guide, developers can build extensions that integrate smoothly with common enterprise identity providers while maintaining security compliance.
Try it: Paste your error into our Error Diagnostic for an instant fix.
Related Reading
- Chrome Enterprise Context-Aware Access: Implementation Guide
- Chrome Enterprise Password Manager Policy: A Practical Guide for Developers
- Chrome New Tab Page Enterprise Customization: A Practical Guide for Developers
Built by theluckystrike. More at zovo.one
Find the right skill → Browse 155+ skills in our Skill Finder.
Configure permissions → Build your settings with our Permission Configurator.