Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here.
To work with LL::NG it requires:
As administrator, go in Google Apps control panel and click on Advanced tools:
Then select Set up single sign-on (SSO)
:
Now configure all SAML parameters:
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button Download
). This will download the public and the private key.
Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:
openssl req -new -key lemonldap-ng-priv.key -out cert.csr openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
You can now the upload the certificate (cert.pem
) on Google Apps.
You should have configured LL::NG as an SAML Identity Provider,
Now we will add Google Apps as a new SAML Service Provider:
New service provider
.Email
in Options
» Authentication Response
» Default NameID format
Options
» Signature
, except Sign SSO message
which should be to On
Metadata
, and unprotect the field to paste the following value:<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" /> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> </SPSSODescriptor> </md:EntityDescriptor>
AssertionConsumerService
markup, parameter Location
) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org
You can add a link in application menu to display Google Apps to users.
You need to adapt some parameters:
On
to always display itGoogle Apps does not support Single Logout (SLO).
Google Apps has a configuration parameter to redirect user on a specific URL after Google Apps logout (see Google Apps control panel).
To manage the other way (LL::NG → Google Apps), you can add a dedicated logout forward rule:
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout