documentation:1.4:applications:googleapps

Google Apps

Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here.

To work with LL::NG it requires:

This part is based on SimpleSAMLPHP documentation.

As administrator, go in Google Apps control panel and click on Advanced tools:

Then select Set up single sign-on (SSO):

Now configure all SAML parameters:

  • Enable Single Sign-On: check the box. Uncheck it to disable SAML authentication (for example, if your Identity Provider is down).
  • Sign-in page URL: SSO access point (HTTP-Redirect binding). Example: http://auth.example.com/saml/singleSignOn
  • Sign-out page URL: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: http://auth.example.com/?logout=1
  • Change password URL: where users can change their password. Example: http://auth.example.com

For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button Download this file):

After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk.

Then use openssl to generate an auto-signed certificate:

openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem

You can now the upload the certificate (cert.pem) on Google Apps.

You should have configured LL::NG as an SAML Identity Provider,

Now we will add Google Apps as a new SAML Service Provider:

  1. In Manager, click on SAML service providers and the button New service provider.
  2. Set GoogleApps as Service Provider name.
  3. Set Email in Options » Authentication Response » Default NameID format
  4. Disable all signature flags in Options » Signature, except Sign SSO message which should be to On
  5. Select Metadata, and unprotect the field to paste the following value:
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" />
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
  </SPSSODescriptor>
</md:EntityDescriptor>
Change mydomain.org (in AssertionConsumerService markup, parameter Location) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org

You can add a link in application menu to display Google Apps to users.

You need to adapt some parameters:

Change mydomain.org into your Google Apps domain

Google Apps does not support Single Logout (SLO).

Google Apps has a configuration parameter to redirect user on a specific URL after Google Apps logout (see Google Apps control panel).

To manage the other way (LL::NG → Google Apps), you can add a dedicated logout forward rule:

GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
Change mydomain.org into your Google Apps domain