235 lines
14 KiB
HTML
235 lines
14 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:applications:googleapps</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,applications,googleapps"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="googleapps.html"/>
|
|
<link rel="contents" href="googleapps.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:googleapps","namespace":"documentation:2.0:applications"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#google_apps_control_panel">Google Apps control panel</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#certificate">Certificate</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#new_service_provider">New Service Provider</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#application_menu">Application menu</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#logout">Logout</a></div></li>
|
|
</ul></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="google_apps">Google Apps</h1>
|
|
<div class="level1">
|
|
|
|
<p>
|
|
<a href="googleapps_logo.png_documentation_2.0_applications_googleapps.html" class="media" title="applications:googleapps_logo.png"><img src="googleapps_logo.png" class="mediacenter" alt="" /></a>
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "Google Apps" [1-69] -->
|
|
<h2 class="sectionedit2" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
<a href="http://www.google.com/apps/" class="urlextern" title="http://www.google.com/apps/" rel="nofollow">Google Apps</a> can use <abbr title="Security Assertion Markup Language">SAML</abbr> to authenticate users, behaving as an <abbr title="Security Assertion Markup Language">SAML</abbr> service provider, as explained <a href="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html" class="urlextern" title="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html" rel="nofollow">here</a>.
|
|
</p>
|
|
|
|
<p>
|
|
To work with <abbr title="LemonLDAP::NG">LL::NG</abbr> it requires:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> An <a href="http://www.google.com/apps/intl/en/business/index.html" class="urlextern" title="http://www.google.com/apps/intl/en/business/index.html" rel="nofollow">enterprise Google Apps account</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> configured as <a href="../idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Registered users on Google Apps with the same email than those used by <abbr title="LemonLDAP::NG">LL::NG</abbr> (email will be the NameID exchanged between Google Apps and <abbr title="LemonLDAP::NG">LL::NG</abbr>)</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "Presentation" [70-660] -->
|
|
<h2 class="sectionedit3" id="configuration">Configuration</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Configuration" [661-687] -->
|
|
<h3 class="sectionedit4" id="google_apps_control_panel">Google Apps control panel</h3>
|
|
<div class="level3">
|
|
<div class="noteclassic">This part is based on <a href="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps" class="urlextern" title="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps" rel="nofollow">SimpleSAMLPHP documentation</a>.
|
|
</div>
|
|
<p>
|
|
As administrator, go in Google Apps control panel and click on Advanced tools:
|
|
</p>
|
|
|
|
<p>
|
|
<a href="../documentation/googleapps-menu.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-menu.png"><img src="../documentation/googleapps-menu.png" class="mediacenter" alt="" /></a>
|
|
</p>
|
|
|
|
<p>
|
|
Then select <code>Set up single sign-on (<abbr title="Single Sign On">SSO</abbr>)</code>:
|
|
</p>
|
|
|
|
<p>
|
|
<a href="../documentation/googleapps-sso.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-sso.png"><img src="../documentation/googleapps-sso.png" class="mediacenter" alt="" /></a>
|
|
</p>
|
|
|
|
<p>
|
|
Now configure all <abbr title="Security Assertion Markup Language">SAML</abbr> parameters:
|
|
</p>
|
|
|
|
<p>
|
|
<a href="../documentation/googleapps-ssoconfig.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-ssoconfig.png"><img src="../documentation/googleapps-ssoconfig.png" class="mediacenter" alt="" /></a>
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Enable Single Sign-On</strong>: check the box. Uncheck it to disable <abbr title="Security Assertion Markup Language">SAML</abbr> authentication (for example, if your Identity Provider is down).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Sign-in page <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Single Sign On">SSO</abbr> access point (HTTP-Redirect binding). Example: <a href="http://auth.example.com/saml/singleSignOn" class="urlextern" title="http://auth.example.com/saml/singleSignOn" rel="nofollow">http://auth.example.com/saml/singleSignOn</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Sign-out page <abbr title="Uniform Resource Locator">URL</abbr></strong>: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: <a href="http://auth.example.com/?logout=1" class="urlextern" title="http://auth.example.com/?logout=1" rel="nofollow">http://auth.example.com/?logout=1</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Change password <abbr title="Uniform Resource Locator">URL</abbr></strong>: where users can change their password. Example: <a href="http://auth.example.com" class="urlextern" title="http://auth.example.com" rel="nofollow">http://auth.example.com</a></div>
|
|
</li>
|
|
</ul>
|
|
<div class="noteimportant">You must check the option <code>Use a specific domain transmitter</code> to force Google Apps to send the full entityId.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT4 SECTION "Google Apps control panel" [688-1806] -->
|
|
<h3 class="sectionedit5" id="certificate">Certificate</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button <code>Download</code>). This will download the public and the private key.
|
|
</p>
|
|
|
|
<p>
|
|
Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:
|
|
</p>
|
|
<pre class="code">openssl req -new -key lemonldap-ng-priv.key -out cert.csr
|
|
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem</pre>
|
|
|
|
<p>
|
|
You can now the upload the certificate (<code>cert.pem</code>) on Google Apps.
|
|
</p>
|
|
<div class="notetip">You can also use the certificate instead of public key in <abbr title="Security Assertion Markup Language">SAML</abbr> metadata, see <a href="../samlservice.html#security_parameters" class="wikilink1" title="documentation:2.0:samlservice">SAML service configuration</a>
|
|
</div>
|
|
</div>
|
|
<!-- EDIT5 SECTION "Certificate" [1807-2542] -->
|
|
<h3 class="sectionedit6" id="new_service_provider">New Service Provider</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
You should have configured <abbr title="LemonLDAP::NG">LL::NG</abbr> as an <a href="../idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a>,
|
|
</p>
|
|
|
|
<p>
|
|
Now we will add Google Apps as a new <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider:
|
|
</p>
|
|
<ol>
|
|
<li class="level1"><div class="li"> In Manager, click on <abbr title="Security Assertion Markup Language">SAML</abbr> service providers and the button <code>New service provider</code>.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Set GoogleApps as Service Provider name.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Set <code>Email</code> in <code>Options</code> » <code>Authentication Response</code> » <code>Default NameID format</code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Disable all signature flags in <code>Options</code> » <code>Signature</code>, except <code>Sign <abbr title="Single Sign On">SSO</abbr> message</code> which should be to <code>On</code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Select <code>Metadata</code>, and unprotect the field to paste the following value:</div>
|
|
</li>
|
|
</ol>
|
|
<pre class="code file xml"><span class="sc3"><span class="re1"><md:EntityDescriptor</span> <span class="re0">entityID</span>=<span class="st0">"google.com"</span> <span class="re0">xmlns</span>=<span class="st0">"urn:oasis:names:tc:SAML:2.0:metadata"</span> <span class="re0">xmlns:ds</span>=<span class="st0">"http://www.w3.org/2000/09/xmldsig#"</span> <span class="re0">xmlns:md</span>=<span class="st0">"urn:oasis:names:tc:SAML:2.0:metadata"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><SPSSODescriptor</span> <span class="re0">protocolSupportEnumeration</span>=<span class="st0">"urn:oasis:names:tc:SAML:2.0:protocol"</span><span class="re2">></span></span>
|
|
<span class="sc3"><span class="re1"><AssertionConsumerService</span> <span class="re0">Binding</span>=<span class="st0">"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"</span> <span class="re0">Location</span>=<span class="st0">"https://www.google.com/a/mydomain.org/acs"</span> <span class="re0">index</span>=<span class="st0">"1"</span> <span class="re2">/></span></span>
|
|
<span class="sc3"><span class="re1"><NameIDFormat<span class="re2">></span></span></span>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress<span class="sc3"><span class="re1"></NameIDFormat<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></SPSSODescriptor<span class="re2">></span></span></span>
|
|
<span class="sc3"><span class="re1"></md:EntityDescriptor<span class="re2">></span></span></span></pre>
|
|
<div class="noteimportant">Change <strong>mydomain.org</strong> (in <code>AssertionConsumerService</code> markup, parameter <code>Location</code>) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org
|
|
</div>
|
|
</div>
|
|
<!-- EDIT6 SECTION "New Service Provider" [2543-3938] -->
|
|
<h3 class="sectionedit7" id="application_menu">Application menu</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
You can add a link in <a href="../portalmenu.html#categories_and_applications" class="wikilink1" title="documentation:2.0:portalmenu">application menu</a> to display Google Apps to users.
|
|
</p>
|
|
|
|
<p>
|
|
You need to adapt some parameters:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Address</strong>: set one of Google Apps <abbr title="Uniform Resource Locator">URL</abbr> (all Google Apps product a distinct <abbr title="Uniform Resource Locator">URL</abbr>), for example <a href="http://www.google.com/calendar/hosted/mydomain.org/render" class="urlextern" title="http://www.google.com/calendar/hosted/mydomain.org/render" rel="nofollow">http://www.google.com/calendar/hosted/mydomain.org/render</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Display</strong>: As Google Apps is not a protected application, set to <code>On</code> to always display it</div>
|
|
</li>
|
|
</ul>
|
|
<div class="noteimportant">Change <strong>mydomain.org</strong> into your Google Apps domain
|
|
</div>
|
|
</div>
|
|
<!-- EDIT7 SECTION "Application menu" [3939-4452] -->
|
|
<h3 class="sectionedit8" id="logout">Logout</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Google Apps does not support Single Logout (SLO).
|
|
</p>
|
|
|
|
<p>
|
|
Google Apps has a configuration parameter to redirect user on a specific <abbr title="Uniform Resource Locator">URL</abbr> after Google Apps logout (see <a href="#google_apps_control_panel" title="documentation:2.0:applications:googleapps ↵" class="wikilink1">Google Apps control panel</a>).
|
|
</p>
|
|
|
|
<p>
|
|
To manage the other way (<abbr title="LemonLDAP::NG">LL::NG</abbr> → Google Apps), you can add a dedicated <a href="../logoutforward.html" class="wikilink1" title="documentation:2.0:logoutforward">logout forward rule</a>:
|
|
</p>
|
|
<pre class="code">GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout</pre>
|
|
<div class="noteimportant">Change <strong>mydomain.org</strong> into your Google Apps domain
|
|
</div>
|
|
</div>
|
|
<!-- EDIT8 SECTION "Logout" [4453-] --></div>
|
|
</body>
|
|
</html>
|