SAML, G-Suite, Mobile Devices

Looks like I leapt before understanding the full implications of integrating SAML.

User’s mail access, configured on their iPhones/iPads post implementation, no longer work. This is, of course, related to SSO where UCS is the primary mechanism for authentication.

My current thought is to have the devices run VPN back into the environment for SSO auth for access to the G-Suite services.

Has anyone else handled this differently? If so, how?

Did you encounter any other ‘gotchas’ when implementing SSO via SAML that isn’t covered in the current document set?