Google Apps
Presentation
Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here.
To work with LL::NG it requires:
- LL::NG configured as SAML Identity Provider
- Registered users on Google Apps with the same email than those used by LL::NG (email will be the NameID exchanged between Google Apps and LL::NG)
Configuration
Google Apps control panel
As administrator, go in Google Apps control panel and click on Advanced tools:
Then select Set up single sign-on (SSO):
Now configure all SAML parameters:
- Enable Single Sign-On: check the box. Uncheck it to disable SAML authentication (for example, if your Identity Provider is down).
- Sign-in page URL: SSO access point (HTTP-Redirect binding). Example: http://auth.example.com/saml/singleSignOn
- Sign-out page URL: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: http://auth.example.com/?logout=1
- Change password URL: where users can change their password. Example: http://auth.example.com
Certificate
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button Download this file):
After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk.
Then use openssl to generate an auto-signed certificate:
openssl req -new -key lemonldap-ng-priv.key -out cert.csr openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
You can now the upload the certificate (cert.pem) on Google Apps.
New Service Provider
You should have configured LL::NG as an SAML Identity Provider,
Now we will add Google Apps as a new SAML Service Provider:
- In Manager, click on SAML service providers and the button
New service provider. - Set GoogleApps as Service Provider name.
- Set
EmailinOptions»Authentication Response»Default NameID format - Disable all signature flags in
Options»Signature, exceptSign SSO messagewhich should be toOn - Select
Metadata, and unprotect the field to paste the following value:
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" /> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> </SPSSODescriptor> </md:EntityDescriptor>
AssertionConsumerService markup, parameter Location) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org
Application menu
You can add a link in application menu to display Google Apps to users.
You need to adapt some parameters:
- Address: set one of Google Apps URL (all Google Apps product a distinct URL), for example http://www.google.com/calendar/hosted/mydomain.org/render
- Display: As Google Apps is not a protected application, set to
Onto always display it
Logout
Google Apps does not support Single Logout (SLO).
Google Apps has a configuration parameter to redirect user on a specific URL after Google Apps logout (see Google Apps control panel).
To manage the other way (LL::NG → Google Apps), you can add a dedicated logout forward rule:
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout