Google Apps

Presentation

Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here.

To work with LL::NG it requires:

Configuration

Google Apps control panel

This part is based on SimpleSAMLPHP documentation.

As administrator, go in Google Apps control panel and click on Advanced tools:

Then select Set up single sign-on (SSO):

Now configure all SAML parameters:

  • Enable Single Sign-On: check the box. Uncheck it to disable SAML authentication (for example, if your Identity Provider is down).
  • Sign-in page URL: SSO access point (HTTP-Redirect binding). Example: http://auth.example.com/saml/singleSignOn
  • Sign-out page URL: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: http://auth.example.com/?logout=1
  • Change password URL: where users can change their password. Example: http://auth.example.com
You must check the option Use a specific domain transmitter to force Google Apps to send the full entityId.

Certificate

For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button Download). This will download the public and the private key.

Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:

openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem

You can now the upload the certificate (cert.pem) on Google Apps.

You can also use the certificate instead of public key in SAML metadata, see SAML service configuration

New Service Provider

You should have configured LL::NG as an SAML Identity Provider,

Now we will add Google Apps as a new SAML Service Provider:

  1. In Manager, click on SAML service providers and the button New service provider.
  2. Set GoogleApps as Service Provider name.
  3. Set Email in Options » Authentication Response » Default NameID format
  4. Disable all signature flags in Options » Signature, except Sign SSO message which should be to On
  5. Select Metadata, and unprotect the field to paste the following value:
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" />
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
  </SPSSODescriptor>
</md:EntityDescriptor>
Change mydomain.org (in AssertionConsumerService markup, parameter Location) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org

Application menu

You can add a link in application menu to display Google Apps to users.

You need to adapt some parameters:

Change mydomain.org into your Google Apps domain

Logout

Google Apps does not support Single Logout (SLO).

Google Apps has a configuration parameter to redirect user on a specific URL after Google Apps logout (see Google Apps control panel).

To manage the other way (LL::NG → Google Apps), you can add a dedicated logout forward rule:

GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
Change mydomain.org into your Google Apps domain