googleapps.html 14 KB
Newer Older
Clément OUDOT's avatar
Clément OUDOT committed
1 2 3 4 5 6 7 8 9 10 11 12
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:applications:googleapps</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,googleapps"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="googleapps.html"/>
<link rel="contents" href="googleapps.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
Xavier Guimard's avatar
Xavier Guimard committed
13 14 15 16 17 18 19 20 21
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
22 23 24
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:googleapps","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
25 26 27 28 29 30 31 32 33 34 35 36 37 38
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
Xavier Guimard's avatar
Xavier Guimard committed
39
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
40
//else -->
Xavier Guimard's avatar
Xavier Guimard committed
41
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
42
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#google_apps_control_panel">Google Apps control panel</a></div></li>
<li class="level2"><div class="li"><a href="#certificate">Certificate</a></div></li>
<li class="level2"><div class="li"><a href="#new_service_provider">New Service Provider</a></div></li>
<li class="level2"><div class="li"><a href="#application_menu">Application menu</a></div></li>
<li class="level2"><div class="li"><a href="#logout">Logout</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="google_apps">Google Apps</h1>
<div class="level1">

<p>
<a href="googleapps_logo.png_documentation_2.0_applications_googleapps.html" class="media" title="applications:googleapps_logo.png"><img src="googleapps_logo.png" class="mediacenter" alt="" /></a>
</p>

</div>
<!-- EDIT1 SECTION "Google Apps" [1-69] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
<a href="http://www.google.com/apps/" class="urlextern" title="http://www.google.com/apps/"  rel="nofollow">Google Apps</a> can use <abbr title="Security Assertion Markup Language">SAML</abbr> to authenticate users, behaving as an <abbr title="Security Assertion Markup Language">SAML</abbr> service provider, as explained <a href="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html" class="urlextern" title="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html"  rel="nofollow">here</a>.
</p>

<p>
To work with <abbr title="LemonLDAP::NG">LL::NG</abbr> it requires:
</p>
<ul>
<li class="level1"><div class="li"> An <a href="http://www.google.com/apps/intl/en/business/index.html" class="urlextern" title="http://www.google.com/apps/intl/en/business/index.html"  rel="nofollow">enterprise Google Apps account</a></div>
</li>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> configured as <a href="../idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a></div>
</li>
<li class="level1"><div class="li"> Registered users on Google Apps with the same email than those used by <abbr title="LemonLDAP::NG">LL::NG</abbr> (email will be the NameID exchanged between Google Apps and <abbr title="LemonLDAP::NG">LL::NG</abbr>)</div>
</li>
</ul>

</div>
<!-- EDIT2 SECTION "Presentation" [70-660] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">

</div>
<!-- EDIT3 SECTION "Configuration" [661-687] -->
<h3 class="sectionedit4" id="google_apps_control_panel">Google Apps control panel</h3>
<div class="level3">
<div class="noteclassic">This part is based on <a href="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps" class="urlextern" title="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps"  rel="nofollow">SimpleSAMLPHP documentation</a>.
</div>
<p>
As administrator, go in Google Apps control panel and click on Advanced tools:
</p>

<p>
<a href="../documentation/googleapps-menu.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-menu.png"><img src="../documentation/googleapps-menu.png" class="mediacenter" alt="" /></a>
</p>

<p>
Then select <code>Set up single sign-on (<abbr title="Single Sign On">SSO</abbr>)</code>:
</p>

<p>
<a href="../documentation/googleapps-sso.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-sso.png"><img src="../documentation/googleapps-sso.png" class="mediacenter" alt="" /></a>
</p>

<p>
Now configure all <abbr title="Security Assertion Markup Language">SAML</abbr> parameters:
</p>

<p>
<a href="../documentation/googleapps-ssoconfig.png_documentation_2.0_applications_googleapps.html" class="media" title="documentation:googleapps-ssoconfig.png"><img src="../documentation/googleapps-ssoconfig.png" class="mediacenter" alt="" /></a>
</p>
<ul>
<li class="level1"><div class="li"> <strong>Enable Single Sign-On</strong>: check the box. Uncheck it to disable <abbr title="Security Assertion Markup Language">SAML</abbr> authentication (for example, if your Identity Provider is down).</div>
</li>
<li class="level1"><div class="li"> <strong>Sign-in page <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Single Sign On">SSO</abbr> access point (HTTP-Redirect binding). Example: <a href="http://auth.example.com/saml/singleSignOn" class="urlextern" title="http://auth.example.com/saml/singleSignOn"  rel="nofollow">http://auth.example.com/saml/singleSignOn</a></div>
</li>
<li class="level1"><div class="li"> <strong>Sign-out page <abbr title="Uniform Resource Locator">URL</abbr></strong>: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: <a href="http://auth.example.com/?logout=1" class="urlextern" title="http://auth.example.com/?logout=1"  rel="nofollow">http://auth.example.com/?logout=1</a></div>
</li>
<li class="level1"><div class="li"> <strong>Change password <abbr title="Uniform Resource Locator">URL</abbr></strong>: where users can change their password. Example: <a href="http://auth.example.com" class="urlextern" title="http://auth.example.com"  rel="nofollow">http://auth.example.com</a></div>
</li>
</ul>

</div>
<!-- EDIT4 SECTION "Google Apps control panel" [688-1671] -->
<h3 class="sectionedit5" id="certificate">Certificate</h3>
<div class="level3">

<p>
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button <code>Download</code>). This will download the public and the private key.
</p>

<p>
Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:
</p>
<pre class="code">openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem</pre>

<p>
You can now the upload the certificate (<code>cert.pem</code>) on Google Apps.
</p>
<div class="notetip">You can also use the certificate instead of public key in <abbr title="Security Assertion Markup Language">SAML</abbr> metadata, see <a href="../samlservice.html#security_parameters" class="wikilink1" title="documentation:2.0:samlservice">SAML service configuration</a>
</div>
</div>
<!-- EDIT5 SECTION "Certificate" [1672-2407] -->
<h3 class="sectionedit6" id="new_service_provider">New Service Provider</h3>
<div class="level3">

<p>
You should have configured <abbr title="LemonLDAP::NG">LL::NG</abbr> as an <a href="../idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a>,
</p>

<p>
Now we will add Google Apps as a new <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider:
</p>
<ol>
<li class="level1"><div class="li"> In Manager, click on <abbr title="Security Assertion Markup Language">SAML</abbr> service providers and the button <code>New service provider</code>.</div>
</li>
<li class="level1"><div class="li"> Set GoogleApps as Service Provider name.</div>
</li>
<li class="level1"><div class="li"> Set <code>Email</code> in <code>Options</code> » <code>Authentication Response</code> » <code>Default NameID format</code></div>
</li>
<li class="level1"><div class="li"> Disable all signature flags in <code>Options</code> » <code>Signature</code>, except <code>Sign <abbr title="Single Sign On">SSO</abbr> message</code> which should be to <code>On</code></div>
</li>
<li class="level1"><div class="li"> Select <code>Metadata</code>, and unprotect the field to paste the following value:</div>
</li>
</ol>
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;md:EntityDescriptor</span> <span class="re0">entityID</span>=<span class="st0">&quot;google.com&quot;</span> <span class="re0">xmlns</span>=<span class="st0">&quot;urn:oasis:names:tc:SAML:2.0:metadata&quot;</span> <span class="re0">xmlns:ds</span>=<span class="st0">&quot;http://www.w3.org/2000/09/xmldsig#&quot;</span> <span class="re0">xmlns:md</span>=<span class="st0">&quot;urn:oasis:names:tc:SAML:2.0:metadata&quot;</span><span class="re2">&gt;</span></span>
  <span class="sc3"><span class="re1">&lt;SPSSODescriptor</span> <span class="re0">protocolSupportEnumeration</span>=<span class="st0">&quot;urn:oasis:names:tc:SAML:2.0:protocol&quot;</span><span class="re2">&gt;</span></span>
    <span class="sc3"><span class="re1">&lt;AssertionConsumerService</span> <span class="re0">Binding</span>=<span class="st0">&quot;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&quot;</span> <span class="re0">Location</span>=<span class="st0">&quot;https://www.google.com/a/mydomain.org/acs&quot;</span> <span class="re0">index</span>=<span class="st0">&quot;1&quot;</span> <span class="re2">/&gt;</span></span>
    <span class="sc3"><span class="re1">&lt;NameIDFormat<span class="re2">&gt;</span></span></span>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress<span class="sc3"><span class="re1">&lt;/NameIDFormat<span class="re2">&gt;</span></span></span>
  <span class="sc3"><span class="re1">&lt;/SPSSODescriptor<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/md:EntityDescriptor<span class="re2">&gt;</span></span></span></pre>
<div class="noteimportant">Change <strong>mydomain.org</strong> (in <code>AssertionConsumerService</code> markup, parameter <code>Location</code>) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org 
</div>
</div>
<!-- EDIT6 SECTION "New Service Provider" [2408-3803] -->
<h3 class="sectionedit7" id="application_menu">Application menu</h3>
<div class="level3">

<p>
You can add a link in <a href="../portalmenu.html#categories_and_applications" class="wikilink1" title="documentation:2.0:portalmenu">application menu</a> to display Google Apps to users.
</p>

<p>
You need to adapt some parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Address</strong>: set one of Google Apps <abbr title="Uniform Resource Locator">URL</abbr> (all Google Apps product a distinct <abbr title="Uniform Resource Locator">URL</abbr>), for example <a href="http://www.google.com/calendar/hosted/mydomain.org/render" class="urlextern" title="http://www.google.com/calendar/hosted/mydomain.org/render"  rel="nofollow">http://www.google.com/calendar/hosted/mydomain.org/render</a></div>
</li>
<li class="level1"><div class="li"> <strong>Display</strong>: As Google Apps is not a protected application, set to <code>On</code> to always display it</div>
</li>
</ul>
<div class="noteimportant">Change <strong>mydomain.org</strong> into your Google Apps domain
</div>
</div>
<!-- EDIT7 SECTION "Application menu" [3804-4317] -->
<h3 class="sectionedit8" id="logout">Logout</h3>
<div class="level3">

<p>
Google Apps does not support Single Logout (SLO).
</p>

<p>
Google Apps has a configuration parameter to redirect user on a specific <abbr title="Uniform Resource Locator">URL</abbr> after Google Apps logout (see <a href="#google_apps_control_panel" title="documentation:2.0:applications:googleapps ↵" class="wikilink1">Google Apps control panel</a>).
</p>

<p>
To manage the other way (<abbr title="LemonLDAP::NG">LL::NG</abbr> → Google Apps), you can add a dedicated <a href="../logoutforward.html" class="wikilink1" title="documentation:2.0:logoutforward">logout forward rule</a>:
</p>
<pre class="code">GoogleApps =&gt; http://www.google.com/calendar/hosted/mydomain.org/logout</pre>
<div class="noteimportant">Change <strong>mydomain.org</strong> into your Google Apps domain
</div>
</div>
<!-- EDIT8 SECTION "Logout" [4318-] --></div>
</body>
</html>