dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bdc68d5833
lemonldap-ng/doc/pages/documentation/current/applications/googleapps.html
Clément OUDOT 12fec2e41a Update documentation
2019-05-12 16:33:56 +02:00

235 lines
14 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:googleapps</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,googleapps"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="googleapps.html"/>
<link rel="contents" href="googleapps.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:googleapps","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#google_apps_control_panel">Google Apps control panel</a></div></li>
<li class="level2"><div class="li"><a href="#certificate">Certificate</a></div></li>
<li class="level2"><div class="li"><a href="#new_service_provider">New Service Provider</a></div></li>
<li class="level2"><div class="li"><a href="#application_menu">Application menu</a></div></li>
<li class="level2"><div class="li"><a href="#logout">Logout</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="google_apps">Google Apps</h1>
<div class="level1">
<p>
<a href="googleapps_logo.png_documentation_2.0_applications_googleapps.html" class="media" title="applications:googleapps_logo.png"><img src="googleapps_logo.png" class="mediacenter" alt="" /></a>
</p>
</div>
<!-- EDIT1 SECTION "Google Apps" [1-69] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="http://www.google.com/apps/" class="urlextern" title="http://www.google.com/apps/" rel="nofollow">Google Apps</a> can use <abbr title="Security Assertion Markup Language">SAML</abbr> to authenticate users, behaving as an <abbr title="Security Assertion Markup Language">SAML</abbr> service provider, as explained <a href="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html" class="urlextern" title="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html" rel="nofollow">here</a>.
</p>
<p>
To work with <abbr title="LemonLDAP::NG">LL::NG</abbr> it requires:
</p>
<ul>
<li class="level1"><div class="li"> An <a href="http://www.google.com/apps/intl/en/business/index.html" class="urlextern" title="http://www.google.com/apps/intl/en/business/index.html" rel="nofollow">enterprise Google Apps account</a></div>
</li>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> configured as <a href="../idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a></div>
</li>
<li class="level1"><div class="li"> Registered users on Google Apps with the same email than those used by <abbr title="LemonLDAP::NG">LL::NG</abbr> (email will be the NameID exchanged between Google Apps and <abbr title="LemonLDAP::NG">LL::NG</abbr>)</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Presentation" [70-660] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [661-687] -->
<h3 class="sectionedit4" id="google_apps_control_panel">Google Apps control panel</h3>
<div class="level3">
<div class="noteclassic">This part is based on <a href="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps" class="urlextern" title="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps" rel="nofollow">SimpleSAMLPHP documentation</a>.
</div>
<p>
As administrator, go in Google Apps control panel and click on Advanced tools:
</p>
<p>
<a href="../documentation/googleapps-menu.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-menu.png"><img src="../documentation/googleapps-menu.png" class="mediacenter" alt="" /></a>
</p>
<p>
Then select <code>Set up single sign-on (<abbr title="Single Sign On">SSO</abbr>)</code>:
</p>
<p>
<a href="../documentation/googleapps-sso.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-sso.png"><img src="../documentation/googleapps-sso.png" class="mediacenter" alt="" /></a>
</p>
<p>
Now configure all <abbr title="Security Assertion Markup Language">SAML</abbr> parameters:
</p>
<p>
<a href="../documentation/googleapps-ssoconfig.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-ssoconfig.png"><img src="../documentation/googleapps-ssoconfig.png" class="mediacenter" alt="" /></a>
</p>
<ul>
<li class="level1"><div class="li"> <strong>Enable Single Sign-On</strong>: check the box. Uncheck it to disable <abbr title="Security Assertion Markup Language">SAML</abbr> authentication (for example, if your Identity Provider is down).</div>
</li>
<li class="level1"><div class="li"> <strong>Sign-in page <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Single Sign On">SSO</abbr> access point (HTTP-Redirect binding). Example: <a href="http://auth.example.com/saml/singleSignOn" class="urlextern" title="http://auth.example.com/saml/singleSignOn" rel="nofollow">http://auth.example.com/saml/singleSignOn</a></div>
</li>
<li class="level1"><div class="li"> <strong>Sign-out page <abbr title="Uniform Resource Locator">URL</abbr></strong>: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: <a href="http://auth.example.com/?logout=1" class="urlextern" title="http://auth.example.com/?logout=1" rel="nofollow">http://auth.example.com/?logout=1</a></div>
</li>
<li class="level1"><div class="li"> <strong>Change password <abbr title="Uniform Resource Locator">URL</abbr></strong>: where users can change their password. Example: <a href="http://auth.example.com" class="urlextern" title="http://auth.example.com" rel="nofollow">http://auth.example.com</a></div>
</li>
</ul>
<div class="noteimportant">You must check the option <code>Use a specific domain transmitter</code> to force Google Apps to send the full entityId.
</div>
</div>
<!-- EDIT4 SECTION "Google Apps control panel" [688-1806] -->
<h3 class="sectionedit5" id="certificate">Certificate</h3>
<div class="level3">
<p>
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button <code>Download</code>). This will download the public and the private key.
</p>
<p>
Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:
</p>
<pre class="code">openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem</pre>
<p>
You can now the upload the certificate (<code>cert.pem</code>) on Google Apps.
</p>
<div class="notetip">You can also use the certificate instead of public key in <abbr title="Security Assertion Markup Language">SAML</abbr> metadata, see <a href="../samlservice.html#security_parameters" class="wikilink1" title="documentation:2.0:samlservice">SAML service configuration</a>
</div>
</div>
<!-- EDIT5 SECTION "Certificate" [1807-2542] -->
<h3 class="sectionedit6" id="new_service_provider">New Service Provider</h3>
<div class="level3">
<p>
You should have configured <abbr title="LemonLDAP::NG">LL::NG</abbr> as an <a href="../idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a>,
</p>
<p>
Now we will add Google Apps as a new <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider:
</p>
<ol>
<li class="level1"><div class="li"> In Manager, click on <abbr title="Security Assertion Markup Language">SAML</abbr> service providers and the button <code>New service provider</code>.</div>
</li>
<li class="level1"><div class="li"> Set GoogleApps as Service Provider name.</div>
</li>
<li class="level1"><div class="li"> Set <code>Email</code> in <code>Options</code> » <code>Authentication Response</code> » <code>Default NameID format</code></div>
</li>
<li class="level1"><div class="li"> Disable all signature flags in <code>Options</code> » <code>Signature</code>, except <code>Sign <abbr title="Single Sign On">SSO</abbr> message</code> which should be to <code>On</code></div>
</li>
<li class="level1"><div class="li"> Select <code>Metadata</code>, and unprotect the field to paste the following value:</div>
</li>
</ol>
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;md:EntityDescriptor</span> <span class="re0">entityID</span>=<span class="st0">&quot;google.com&quot;</span> <span class="re0">xmlns</span>=<span class="st0">&quot;urn:oasis:names:tc:SAML:2.0:metadata&quot;</span> <span class="re0">xmlns:ds</span>=<span class="st0">&quot;http://www.w3.org/2000/09/xmldsig#&quot;</span> <span class="re0">xmlns:md</span>=<span class="st0">&quot;urn:oasis:names:tc:SAML:2.0:metadata&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;SPSSODescriptor</span> <span class="re0">protocolSupportEnumeration</span>=<span class="st0">&quot;urn:oasis:names:tc:SAML:2.0:protocol&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;AssertionConsumerService</span> <span class="re0">Binding</span>=<span class="st0">&quot;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&quot;</span> <span class="re0">Location</span>=<span class="st0">&quot;https://www.google.com/a/mydomain.org/acs&quot;</span> <span class="re0">index</span>=<span class="st0">&quot;1&quot;</span> <span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;NameIDFormat<span class="re2">&gt;</span></span></span>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress<span class="sc3"><span class="re1">&lt;/NameIDFormat<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/SPSSODescriptor<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/md:EntityDescriptor<span class="re2">&gt;</span></span></span></pre>
<div class="noteimportant">Change <strong>mydomain.org</strong> (in <code>AssertionConsumerService</code> markup, parameter <code>Location</code>) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org
</div>
</div>
<!-- EDIT6 SECTION "New Service Provider" [2543-3938] -->
<h3 class="sectionedit7" id="application_menu">Application menu</h3>
<div class="level3">
<p>
You can add a link in <a href="../portalmenu.html#categories_and_applications" class="wikilink1" title="documentation:2.0:portalmenu">application menu</a> to display Google Apps to users.
</p>
<p>
You need to adapt some parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Address</strong>: set one of Google Apps <abbr title="Uniform Resource Locator">URL</abbr> (all Google Apps product a distinct <abbr title="Uniform Resource Locator">URL</abbr>), for example <a href="http://www.google.com/calendar/hosted/mydomain.org/render" class="urlextern" title="http://www.google.com/calendar/hosted/mydomain.org/render" rel="nofollow">http://www.google.com/calendar/hosted/mydomain.org/render</a></div>
</li>
<li class="level1"><div class="li"> <strong>Display</strong>: As Google Apps is not a protected application, set to <code>On</code> to always display it</div>
</li>
</ul>
<div class="noteimportant">Change <strong>mydomain.org</strong> into your Google Apps domain
</div>
</div>
<!-- EDIT7 SECTION "Application menu" [3939-4452] -->
<h3 class="sectionedit8" id="logout">Logout</h3>
<div class="level3">
<p>
Google Apps does not support Single Logout (SLO).
</p>
<p>
Google Apps has a configuration parameter to redirect user on a specific <abbr title="Uniform Resource Locator">URL</abbr> after Google Apps logout (see <a href="#google_apps_control_panel" title="documentation:2.0:applications:googleapps ↵" class="wikilink1">Google Apps control panel</a>).
</p>
<p>
To manage the other way (<abbr title="LemonLDAP::NG">LL::NG</abbr> → Google Apps), you can add a dedicated <a href="../logoutforward.html" class="wikilink1" title="documentation:2.0:logoutforward">logout forward rule</a>:
</p>
<pre class="code">GoogleApps =&gt; http://www.google.com/calendar/hosted/mydomain.org/logout</pre>
<div class="noteimportant">Change <strong>mydomain.org</strong> into your Google Apps domain
</div>
</div>
<!-- EDIT8 SECTION "Logout" [4453-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink