Google Apps and Open Directory. Randy Saeks Twitter: @rsaeks http://www.techrecess.com

Similar documents
An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Administration Guide. WatchDox Server. Version 4.8.0

User Guide. Version R91. English

Administering Google Apps & Chromebooks for Education

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Gmail Or other POP3

Administrator Guide. v 11

CA Performance Center

SAML-Based SSO Solution

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

Office 365 deployment checklists

Authentication Methods

VMware Identity Manager Administration

Initial Setup of Microsoft Outlook with Google Apps Sync for Windows 7. Initial Setup of Microsoft Outlook with Google Apps Sync for Windows 7

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Introduction to Directory Services

SAML single sign-on configuration overview

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

VMware Identity Manager Administration

Google Apps Premier Edition. Included Yes Yes Yes Storage 25 GB Varies by deployment

Copyright: WhosOnLocation Limited

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Configuring Parature Self-Service Portal

Office 365 deploym. ployment checklists. Chapter 27

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Getting Started with Clearlogin A Guide for Administrators V1.01

Configuring EPM System for SAML2-based Federation Services SSO

Google Apps Deployment Guide

SAP NetWeaver AS Java

SOA, case Google. Faculty of technology management Information Technology Service Oriented Communications CT30A8901.

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

Configuring Salesforce

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Extending Remote Desktop for Large Installations. Distributed Package Installs

Google Apps Implementation Early Adopter Deployment Offerings

Cloudwork Dashboard User Manual

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Connected Data. Connected Data requirements for SSO

Using Shibboleth for Single Sign- On

Agenda. How to configure

ADMINISTRATOR GUIDE VERSION

Configuring. Moodle. Chapter 82

VERALAB LDAP Configuration Guide

System Configuration and Deployment Guide

Computer Services Documentation

Single Sign On. SSO & ID Management for Web and Mobile Applications

Quick Start Guide for VMware and Windows 7

Important Information

Setting Up the Mercent Marketplace Price Optimizer Extension

Active Directory Service. Integration Parameters and Implementation

How To - Implement Single Sign On Authentication with Active Directory

OIOSAML 2.0 Toolkits Test results May 2009

Active Directory Manager Pro New Features

Simple. Control Panel. for your Linux Server. Getting Started Guide. Simple Control Panel // Linux Server

HGC SUPERHUB HOSTED EXCHANGE SMART PANEL 2013 USER GUIDE

Configuration Guide BES12. Version 12.1

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

WatchDox Administrator's Guide. Application Version 3.7.5

Google Integration Instructions

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

AVG Business SSO Partner Getting Started Guide

Vodafone Secure Device Manager Administration User Guide

F-Secure Messaging Security Gateway. Deployment Guide

Zoho CRM and Google Apps Synchronization

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Workflow Templates Library

Configuration Guide BES12. Version 12.3

Quick Start Guide for Parallels Virtuozzo

ManageEngine Desktop Central. Mobile Device Management User Guide

You will need your District Google Mail username (e.g. and password to complete the activation process.

I. Delivery Flash CMS template package II. Flash CMS template installation III. Control Panel setup... 5

Cisco WebEx Connect Administrator s Guide

Installation and Configuration Guide

Outlook Connector Installation & Configuration groupwaresolution.net Hosted MS Exchange Alternative On Linux

User Management Tool 1.5

Egnyte Single Sign-On (SSO) Installation for OneLogin

Configuring. SugarCRM. Chapter 121

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

F-SECURE MESSAGING SECURITY GATEWAY

Preparing for GO!Enterprise MDM On-Demand Service

GREEN HOUSE DATA. Services Guide. Built right. Just for you. greenhousedata.com. Green House Data 340 Progress Circle Cheyenne, WY 82007

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

IM and Presence Disaster Recovery System

SAML application scripting guide

iview (v2.0) Administrator Guide Version 1.0

Setup Guide Access Manager 3.2 SP3

Document OwnCloud Collaboration Server (DOCS) User Manual. How to Access Document Storage

Configuration Guide BES12. Version 12.2

Request Manager Installation and Configuration Guide

Configuration Guide. BES12 Cloud

Table of contents 1. IMPORTANT INFORMATION BEFORE YOU START GETTING STARTED EXCHANGE CONTROL PANEL... 2

Vantage CRM Archiving Setup

WEB HELP DESK GETTING STARTED GUIDE

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Transcription:

Google Apps and Open Directory Randy Saeks Twitter: @rsaeks http://www.techrecess.com

Agenda Quick Google Apps Overview Structure Setup Preparing OD Configuration Q&A&S

Resources http://techrecess.com/technical-papers/gapps/

Google Apps Overview Standard, Premier and Education are major editions. Differences relate to cost and storage. Cost Storage Limitations Education $0 7GB email Standard $0 Premier $50 per user per year 25GB email Need to be Edu. or 501(c)3 50 accounts Does not to SSO

Apps Services (Old Account) Mail Sites Moderator Video Google Chat Calendar Docs Mobile Google Labs Marketplace Tools Extends ability of Google Apps with other services

Google Account (New Services) Blogger Finance Picasa Places Reader Books Maps Youtube Voice News Bookmarks Latitude

Google Applications Emphasizes Collaboration Service Control Remote Access Sharing and permissions

Chat / Voice Jabber protocol Organizational IM capability Voice & Video Supported Offline messaging & archiving Phone calls / SMS

Docs Documents Presentations Spreadsheets Forms Drawing

Docs Convert existing documents Template support Videos Store & share other files

EMail Provides domain email services POP, IMAP, web Sync to devices Many users already know GMail Grant other accounts access within domain

Tech Overview GADS SAML Y U NO SUPPORT LDAP Side Note: Either method takes over password security, so password limitations are organizational, NOT Google

Workflow for GADS Google Apps User Applications Pushes user information to Google Apps user database on schedule or when invoked Google User Database Cached Directory Data OpenDirectory Selects specific LDAP data Returns data via LDAP GADS Live Directory Data

Workflow for SAML Google Apps User Web Browser SAML SP Live Directory Information Asks to verify user Requests service attributes Returns valid user Returns attributes OpenDirectory Via LDAP Returns attribute values via LDAP SAML IdP

Domain Structures

Single Domain & Flat Structure One domain to manage... Loss of control to differentiate service access Need to tweak OD for password syncing... Allows OD password to work with Google Apps No tweaks needed for SAML... I ve got nothing

Single Domain with Groups / sub-domains (SD) One domain to manage... GADS configuration for password syncing with SD... Need to tweak OD for SAML logins with SD... Only need one SSO configuration... Control services on group / SD level OD passwords sync & can control Group membership Only one SAML install required Caveats with Sub-Domains

Multiple Domains Multiple domains to manage... Need to tweak OD for password syncing... No tweaks needed for SAML... Need SSO configuration per domain... Control services on domain level Allows OD password to work with Google Apps Again, nothing Flexibility in SSO configuration and options

Service Management Services can be enabled / disabled based on group membership Group membership can include subdomain membership Control Panel gives insight to services available to users Allowed overrides denied

One or Multiple Domains with SAML Configure SAML Identity Provider (IdP) Determine attribute mapping for identifying user in Google Apps Accounts need to exist in Google Apps Determine attribute that is the full user ID (Needed with subdomains)

Google Apps Directory Sync (GADS) Password Server External Command Attribute for SHA1 hash of password Configure GADS Users can be created in Google Apps Determine GADS run frequency

Syncing OD Passwords via GADS What do we need to do? Get password on user record Send to Google Oh, and in a secure manner

Workflow for GADS Google Apps User Pushes user information to Google Apps user database on schedule or when invoked Google User Database Cached Directory Data OpenDirectory Selects specific LDAP data Returns data via LDAP GADS Live Directory Data

Capturing The Password /Library/Preferences/com.apple.passwordserver External Command relative to /usr/sbin/authserver/tools/

Getting Password on User Record

Sending Change to Google Apps Google Apps Directory Sync Windows XP, Vista, Solaris, Linux Configurable on a schedule Execute from password change script

Sending Change to Google Apps

Security Consideration Protect file system access to script! Use Directory Access Controls (DACLs)

Google Apps Directory Sync

Domain Setting

Exclusion Rules

LDAP Connection

LDAP Attributes, PT I

LDAP Attributes, PT II

User Sync Options, PT I

User Sync Options, PT II

Delete Limits

Other Sync Settings Groups Profile data Shared Contact data Email notifications of sync status

Sync Run manually Run via schedule task or cron job Command in password change script

SAML Similar to Kerberos for web Requires an IdP (OD) and SP (Google) Extensible to other products using this architecture

CSV Import email Address First Name Last Name Password UserAy@example.com User Ay,alas UserBee@example.com User Bee honey UserSea@example.com User Sea OldMan&

Provisioning Toolkit VMWare image Does the heavy work for you Queries LDAP to create accounts Specifies default password

Google Apps Provisioning Toolkit Free Download from SADA Systems http://code.google.com/p/google-apps-provisioning-toolkit/

Provisioning toolkit Configuration

Provisioning toolkit Configuration, Cont Once toolkit is configured, navigate to http://ip/googleappstoolkit/admin/ Walks you through process with options

SimpleSAMLphp Open-source PHP SAML solution Download from: http://simplesamlphp.org/

Workflow for SAML Google Apps User Web Browser SAML SP Live Directory Information Asks to verify user Requests service attributes Returns valid user Returns attributes OpenDirectory Via LDAP Returns attribute values via LDAP SAML IdP

SAML Overview Source: http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html

Installation Unpack files Create web alias in Server Admin (SA) Enable php module in SA

/config/config.php Set Administrative Password Hash Value Technical Contact Enabled Services 'enable.saml20-idp'!! => true,

/config/config.php

Enable SAML LDAP Navigate to modules directory > LDAP Enable with command: touch /path/to/saml/modules/ldap/enable

Securing the Trust Generate RSA keys Upload.crt to Google Apps

/config/ldap.php Specify dn pattern LDAP host attributes to retrieve

/metadata/saml20-idphosted.php Define Entity ID Define Host Specify Certificates previously created

/metadata/saml20-spremote.php Create metadata array Define ACS Set nameid format Define nameid attribute

Nameid attribute Defines attribute passed to Google Apps once user and password verified Can be any LDAP attribute Single domain setups can use uid Subdomains should use attribute specifying user@domain

Security Consideration Limit your Directory Admins nameidattribute will be your linked Google Apps Account

Configuring Google Apps for SAML Advanced Tools in cpanel -> SSO Sign-In page Sign-Out page Can specify a redirect with :?RelayState= Network Mask (Good for testing!)

Configuring Google Apps for SAML

Testing Include small IP range to test Login with one machine prior to enabling SSO Test with secondary machine

In Relation to Setup Test domain is great Determine service implementation and enablement schedule Access methods

In Relation to Passwords Access methods determine passwords Find a web-based password reset Built into 10.6 Server.

In Relation to Users Establish a migration schedule Ample bandwidth for mail migration Calendar management Google cpanel shows group membership on user account Deleting user takes time to revert

In Relation to Admins Create tiered admins! Admins within Google Apps should reflect policies. Delegate permissions

Marketplace Tools Additional apps for your domain Management and admin tools SADA Systems User Rename Tool New EDU category

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information