worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10184 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: 86b9ffedf7
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '86b9ffedf7'
${ noResults }
lemonldap-ng/doc/sources/admin/applications/googleapps.rst

171 lines
5.1 KiB
Raw Blame History

Google Apps
===========
|image0|
Presentation
------------
`Google Apps <http://www.google.com/apps/>`__ can use SAML to
authenticate users, behaving as an SAML service provider, as explained
`here <http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html>`__.
To work with LL::NG it requires:
- An `enterprise Google Apps
account <http://www.google.com/apps/intl/en/business/index.html>`__
- LL::NG configured as :doc:`SAML Identity Provider<../idpsaml>`
- Registered users on Google Apps with the same email than those used
by LL::NG (email will be the NameID exchanged between Google Apps and
LL::NG)
Configuration
-------------
Google Apps control panel
~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
This part is based on `SimpleSAMLPHP
documentation <http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps>`__.
As administrator, go in Google Apps control panel and click on Advanced
tools:
|image1|
Then select ``Set up single sign-on (SSO)``:
|image2|
Now configure all SAML parameters:
|image3|
- **Enable Single Sign-On**: check the box. Uncheck it to disable SAML
authentication (for example, if your Identity Provider is down).
- **Sign-in page URL**: SSO access point (HTTP-Redirect binding).
Example: http://auth.example.com/saml/singleSignOn
- **Sign-out page URL**: this in not the SLO access point (Google Apps
does not support SLO), but the main logout page. Example:
http://auth.example.com/?logout=1
- **Change password URL**: where users can change their password.
Example: http://auth.example.com
.. important::
You must check the option
``Use a specific domain transmitter`` to force Google Apps to send the
full entityId.
Certificate
~~~~~~~~~~~
For the certificate, you can build it from the signing private key
registered in Manager. Select the key, and export it (button
``Download``). This will download the public and the private key.
Keep the private key in a file, for example lemonldap-ng-priv.key, then
use openssl to generate an auto-signed certificate:
::
openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
You can now the upload the certificate (``cert.pem``) on Google Apps.
.. tip::
You can also use the certificate instead of public key in SAML
metadata, see :doc:`SAML service configuration<../samlservice>`\
New Service Provider
~~~~~~~~~~~~~~~~~~~~
You should have configured LL::NG as an
:doc:`SAML Identity Provider<../idpsaml>`,
Now we will add Google Apps as a new SAML Service Provider:
#. In Manager, click on SAML service providers and the button
``New service provider``.
#. Set GoogleApps as Service Provider name.
#. Set ``Email`` in ``Options`` » ``Authentication Response`` »
``Default NameID format``
#. Disable all signature flags in ``Options`` » ``Signature``, except
``Sign SSO message`` which should be to ``On``
#. Select ``Metadata``, and unprotect the field to paste the following
value:
.. code:: xml
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
</SPSSODescriptor>
</md:EntityDescriptor>
.. important::
Change **mydomain.org** (in ``AssertionConsumerService``
markup, parameter ``Location``) into your Google Apps domain. Also adapt
your entityID to match the Assertion issuer: google.com/a/mydomain.org
Application menu
~~~~~~~~~~~~~~~~
You can add a link in :doc:`application menu<../portalmenu>` to display
Google Apps to users.
You need to adapt some parameters:
- **Address**: set one of Google Apps URL (all Google Apps product a
distinct URL), for example
http://www.google.com/calendar/hosted/mydomain.org/render
- **Display**: As Google Apps is not a protected application, set to
``On`` to always display it
.. important::
Change **mydomain.org** into your Google Apps
domain
Logout
~~~~~~
Google Apps does not support Single Logout (SLO).
Google Apps has a configuration parameter to redirect user on a specific
URL after Google Apps logout (see :doc:`Google Apps control panel<>`).
To manage the other way (LL::NG → Google Apps), you can add a dedicated
:doc:`logout forward rule<../logoutforward>`:
::
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
.. important::
Change **mydomain.org** into your Google Apps
domain
.. |image0| image:: /applications/googleapps_logo.png
:class: align-center
.. |image1| image:: /documentation/googleapps-menu.png
:class: align-center
.. |image2| image:: /documentation/googleapps-sso.png
:class: align-center
.. |image3| image:: /documentation/googleapps-ssoconfig.png
:class: align-center