Google Apps¶
Presentation¶
Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here.
To work with LL::NG it requires:
LL::NG configured as SAML Identity Provider
Registered users on Google Apps with the same email than those used by LL::NG (email will be the NameID exchanged between Google Apps and LL::NG)
Configuration¶
Google Apps control panel¶
Attention
This part is based on SimpleSAMLPHP documentation.
As administrator, go in Google Apps control panel and click on Advanced tools:
Then select Set up single sign-on (SSO)
:
Now configure all SAML parameters:
Enable Single Sign-On: check the box. Uncheck it to disable SAML authentication (for example, if your Identity Provider is down).
Sign-in page URL: SSO access point (HTTP-Redirect binding). Example: http://auth.example.com/saml/singleSignOn
Sign-out page URL: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: http://auth.example.com/?logout=1
Change password URL: where users can change their password. Example: http://auth.example.com
Attention
You must check the option
Use a specific domain transmitter
to force Google Apps to send the
full entityId.
Certificate¶
For the certificate, you can build it from the signing private key
registered in Manager. Select the key, and export it (button
Download
). This will download the public and the private key.
Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:
openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
You can now the upload the certificate (cert.pem
) on Google Apps.
Tip
You can also use the certificate instead of public key in SAML metadata, see SAML service configuration
New Service Provider¶
You should have configured LL::NG as an SAML Identity Provider,
Now we will add Google Apps as a new SAML Service Provider:
In Manager, click on SAML service providers and the button
New service provider
.Set GoogleApps as Service Provider name.
Set
Email
inOptions
»Authentication Response
»Default NameID format
Disable all signature flags in
Options
»Signature
, exceptSign SSO message
which should be toOn
Select
Metadata
, and unprotect the field to paste the following value:
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
</SPSSODescriptor>
</md:EntityDescriptor>
Attention
Change mydomain.org (in AssertionConsumerService
markup, parameter Location
) into your Google Apps domain. Also adapt
your entityID to match the Assertion issuer: google.com/a/mydomain.org
Logout¶
Google Apps does not support Single Logout (SLO).
Google Apps has a configuration parameter to redirect user on a specific URL after Google Apps logout (see Google Apps control panel).
To manage the other way (LL::NG → Google Apps), you can add a dedicated logout forward rule:
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
Attention
Change mydomain.org into your Google Apps domain