<ahref="http://www.google.com/apps/"class="urlextern"title="http://www.google.com/apps/"rel="nofollow">Google Apps</a> can use <abbrtitle="Security Assertion Markup Language">SAML</abbr> to authenticate users, behaving as an <abbrtitle="Security Assertion Markup Language">SAML</abbr> service provider, as explained <ahref="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html"class="urlextern"title="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html"rel="nofollow">here</a>.
</p>
<p>
To work with <abbrtitle="LemonLDAP::NG">LL::NG</abbr> it requires:
</p>
<ul>
<liclass="level1"><divclass="li"> An <ahref="http://www.google.com/apps/intl/en/business/index.html"class="urlextern"title="http://www.google.com/apps/intl/en/business/index.html"rel="nofollow">enterprise Google Apps account</a></div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="LemonLDAP::NG">LL::NG</abbr> configured as <ahref="../idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML Identity Provider</a></div>
</li>
<liclass="level1"><divclass="li"> Registered users on Google Apps with the same email than those used by <abbrtitle="LemonLDAP::NG">LL::NG</abbr> (email will be the NameID exchanged between Google Apps and <abbrtitle="LemonLDAP::NG">LL::NG</abbr>)</div>
<h3class="sectionedit4"id="google_apps_control_panel">Google Apps control panel</h3>
<divclass="level3">
<divclass="noteclassic">This part is based on <ahref="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps"class="urlextern"title="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps"rel="nofollow">SimpleSAMLPHP documentation</a>.
</div>
<p>
As administrator, go in Google Apps control panel and click on Advanced tools:
<liclass="level1"><divclass="li"><strong>Enable Single Sign-On</strong>: check the box. Uncheck it to disable <abbrtitle="Security Assertion Markup Language">SAML</abbr> authentication (for example, if your Identity Provider is down).</div>
<liclass="level1"><divclass="li"><strong>Sign-out page <abbrtitle="Uniform Resource Locator">URL</abbr></strong>: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: <ahref="http://auth.example.com/?logout=1"class="urlextern"title="http://auth.example.com/?logout=1"rel="nofollow">http://auth.example.com/?logout=1</a></div>
</li>
<liclass="level1"><divclass="li"><strong>Change password <abbrtitle="Uniform Resource Locator">URL</abbr></strong>: where users can change their password. Example: <ahref="http://auth.example.com"class="urlextern"title="http://auth.example.com"rel="nofollow">http://auth.example.com</a></div>
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button <code>Download</code>). This will download the public and the private key.
</p>
<p>
Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:
You can now the upload the certificate (<code>cert.pem</code>) on Google Apps.
</p>
<divclass="notetip">You can also use the certificate instead of public key in <abbrtitle="Security Assertion Markup Language">SAML</abbr> metadata, see <ahref="../samlservice.html#security_parameters"class="wikilink1"title="documentation:2.0:samlservice">SAML service configuration</a>
<h3class="sectionedit6"id="new_service_provider">New Service Provider</h3>
<divclass="level3">
<p>
You should have configured <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as an <ahref="../idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML Identity Provider</a>,
</p>
<p>
Now we will add Google Apps as a new <abbrtitle="Security Assertion Markup Language">SAML</abbr> Service Provider:
</p>
<ol>
<liclass="level1"><divclass="li"> In Manager, click on <abbrtitle="Security Assertion Markup Language">SAML</abbr> service providers and the button <code>New service provider</code>.</div>
</li>
<liclass="level1"><divclass="li"> Set GoogleApps as Service Provider name.</div>
</li>
<liclass="level1"><divclass="li"> Set <code>Email</code> in <code>Options</code> » <code>Authentication Response</code> » <code>Default NameID format</code></div>
</li>
<liclass="level1"><divclass="li"> Disable all signature flags in <code>Options</code> » <code>Signature</code>, except <code>Sign <abbrtitle="Single Sign On">SSO</abbr> message</code> which should be to <code>On</code></div>
</li>
<liclass="level1"><divclass="li"> Select <code>Metadata</code>, and unprotect the field to paste the following value:</div>
<divclass="noteimportant">Change <strong>mydomain.org</strong> (in <code>AssertionConsumerService</code> markup, parameter <code>Location</code>) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org
You can add a link in <ahref="../portalmenu.html#categories_and_applications"class="wikilink1"title="documentation:2.0:portalmenu">application menu</a> to display Google Apps to users.
</p>
<p>
You need to adapt some parameters:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Address</strong>: set one of Google Apps <abbrtitle="Uniform Resource Locator">URL</abbr> (all Google Apps product a distinct <abbrtitle="Uniform Resource Locator">URL</abbr>), for example <ahref="http://www.google.com/calendar/hosted/mydomain.org/render"class="urlextern"title="http://www.google.com/calendar/hosted/mydomain.org/render"rel="nofollow">http://www.google.com/calendar/hosted/mydomain.org/render</a></div>
</li>
<liclass="level1"><divclass="li"><strong>Display</strong>: As Google Apps is not a protected application, set to <code>On</code> to always display it</div>
</li>
</ul>
<divclass="noteimportant">Change <strong>mydomain.org</strong> into your Google Apps domain
Google Apps has a configuration parameter to redirect user on a specific <abbrtitle="Uniform Resource Locator">URL</abbr> after Google Apps logout (see <ahref="#google_apps_control_panel"title="documentation:2.0:applications:googleapps ↵"class="wikilink1">Google Apps control panel</a>).
</p>
<p>
To manage the other way (<abbrtitle="LemonLDAP::NG">LL::NG</abbr> → Google Apps), you can add a dedicated <ahref="../logoutforward.html"class="wikilink1"title="documentation:2.0:logoutforward">logout forward rule</a>: