Google Apps SSO to Office 365 Integration

Similar documents
Google Apps SSO to Office 365 Integration

Version 3.2 Release Note. V3.2 Release Note

Egnyte Single Sign-On (SSO) Installation for OneLogin

OneLogin Integration User Guide

Google Apps Deployment Guide

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Multi-Factor Authentication Job Aide

AVG Business SSO Partner Getting Started Guide

Configuring Sponsor Authentication

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Single Sign-On Portal User Reference (Okta Cloud SSO)

AVG Business Secure Sign On Active Directory Quick Start Guide

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

User Management Tool 1.5

Getting Started with Clearlogin A Guide for Administrators V1.01

Protected Trust Directory Sync Guide

Employee Active Directory Self-Service Quick Setup Guide

Install and End User Reference Guide for Direct Access to Citrix Applications

Hubcase for Microsoft Dynamics CRM Installation and Configuration Guide

Authentication Methods

Defender Token Deployment System Quick Start Guide

Self-Service Password Manager

QUICK INSTALLATION GUIDE ACTIVATE

NovaBACKUP xsp Version 15.0 Upgrade Guide

ADFS for. LogMeIn and join.me authentication

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

MaaS360 Cloud Extender

Web Hosting Getting Started Guide

McAfee Cloud Single Sign On

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

BlackBerry Universal Device Service. Demo Access. AUTHOR: System4u

MaaS360 On-Premises Cloud Extender

CA Nimsoft Service Desk

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Flexible Identity Federation

Broker Portal Tutorial Broker Portal Basics

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

Remote Access End User Reference Guide for SHC Portal Access

Preparing for GO!Enterprise MDM On-Demand Service

How to Configure Entourage 2008 for Client

NCSU SSO. Case Study

AVG Business SSO Connecting to Active Directory

Presto User s Manual. Collobos Software Version Collobos Software, Inc!

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

2-FACTOR AUTHENTICATION WITH

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Google Integration Instructions

OFFICE OF KNOWLEDGE, INFORMATION, AND DATA SERVICES (KIDS) DIVISION OF ENTERPRISE DATA

NYS Office 365 Administration Guide for Agencies

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

Integrating Webalo with LDAP or Active Directory

Flexible Identity Federation

SPHOL300 Synchronizing Profile Pictures from On-Premises AD to SharePoint Online

DOMAIN CENTRAL HOSTING

USING FEDERATED AUTHENTICATION WITH M-FILES

Mobile Banking. Click To Begin

Publish Cisco VXC Manager GUI as Microsoft RDS Remote App

VERALAB LDAP Configuration Guide

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Security Assertion Markup Language (SAML) Site Manager Setup

dotmailer for Salesforce Installation Guide Winter 2015 Version

Mod 2: User Management

DocuSign Connect for Salesforce Guide

Single Sign-On Administrator s Guide

Flexible Identity Federation

Active Directory Validation - User Guide

Migrating Exchange Server to Office 365

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Core Filtering Admin Guide

IIS, FTP Server and Windows

Configuration Guide - OneDesk to SalesForce Connector

LAB: Enterprise Single Sign-On Services. Last Saved: 7/17/ :48:00 PM

Installation Guide for Chromebook February 2016

Sonian Getting Started Guide October 2008

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

VMware Identity Manager Administration

Support System User Guide

qliqdirect Active Directory Guide

Setting Up Resources in VMware Identity Manager

How to Configure Certificate Based Authentication for WorxMail and XenMobile 10

DreamFactory on Microsoft SQL Azure

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Administration Guide BES12. Version 12.3

SpringCM Troubleshooting Guide for Salesforce

Quick Start Guide Sendio Hosted

Identity Hub Service Desk Handbook. Document Ref: NSWG/MS/SG/v1.0 December, Version 1.0

Instructions for Accessing the Hodges University Virtual Lab

Welcome (slide 1) Welcome to the Florida Department of Education Single Sign-On tutorial for federated user login and navigation.

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

MaaS360 Mobile Enterprise Gateway

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Step 1. Step 2. Open your browser and go to and you will be presented a logon screen show below.

User Manual 03/12/2014. A collaborative effort by

User Self-Service Configuration Overview

Installation Guide for Pulse on Windows Server 2012

Sophos Mobile Control Installation guide. Product version: 3

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Transcription:

KETS Google Apps SSO to Office 365 Integration Kentucky Department of Education Version 1.5 12/3/2014

Google Apps for Education (GAFE) + Microsoft Active Directory Integration Introduction Welcome to the Google Apps for Education (GAFE) authentication integration into Office 365. This guide outlines the technologies and steps involved in the initial configuration of your district s GAFE environment to leverage the login credentials of Office 365. It also contains the support triage for ongoing support of this configuration. Audience This guide was written and is kept up-to-date for the technical administrators of Kentucky school districts Office 365 environment and Google Apps for Education suite. Technologies/Terminologies There are acronyms and technology terms that are used when discussing user access to technology systems. This section will attempt to define terminology used in this guide as well as provide a high-level overview of the major components that comprise user access, as these pertain to this discussion.

Single Sign-On (SSO) is the ability to utilize one set of login credentials for two or more systems. In this scenario the Office 365 credentials would be the authority for login access into Google Apps. In the KETS environment the Office 365 login creds are also the same as the Active Directory credentials. Prior to the implementation of your GAFE environment to use SSO with Office 365, the user login experience is either a different password for GAFE than Office 365, or a manual process of setting the password the same in GAFE as Office 365. The diagram below is a simple representation of the separate Google Apps environment from AD and Office 365. Diagram 1 Authentication into any system simply validates a user s identity. It by itself gives them no access to anything, it just proves they are who they say they are when logging in. It is like showing a photo ID. It is normally validated against a user providing a username and password. Upon completion of the GAFE authentication integration with Office 365 users of GAFE that have a corresponding Office 365 mailbox will login with the Office 365 username and password (same as logging into Active Directory). The diagram below is a simple representation of the authentication path.

Diagram 2 Authorization defines what a given user has access to after login. Different systems can use a multitude of authentication validation methods, from group membership to robust claims-based information about the user. In this implementation of GAFE to Office 365 there will be no authorization information passed to the user from Office 365, meaning what the user has access to is defined in the Google Apps environment. Office 365 is used only to login them in, proving they are who they claim to be. Provisioning is the automated creation of users, groups, etc from one system to another. This process can also modify or delete objects from the authoritative system to the relying system. There s a provisioning process in place today (OLPS) which provisions from Active Directory to Office 365 so districts don t have to perform common user management tasks in Office 365. At this moment there is NO technical option to provide user provisioning from Office 365 to Google Apps for Education. This is based on our current design in Office 365 which prevents the ability. This is being considered in future updates of Office 365 that could allow the provisioning ability but at the moment you should be aware this is not an option. At this time districts will continue to manage GAFE accounts in the Google Admin Console.

Diagram 3 Document Updates/Location This document could be updated and enhanced over time. Please check for new versions periodically at http://education.ky.gov/districts/tech/pages/administrationandinstall-guides.aspx Document Feedback If you have any recommendations to improve this guide please send your suggestions to KETSHelp@education.ky.gov and reference the location of this document.

Prerequisites A Google Apps for Education (GAFE) space must be setup with the district email suffix as the GAFE domain. Please note that existing accounts with a different suffix (i.e. a non-kyschools.us suffix) will be rendered inaccessible after this process! If Chromebook integration is desired, device management licenses must be purchased and devices must be enrolled. At this time, your district is a good candidate for Azure Active Directory implementation if you are using the Guest login functionality of the Chromebook. Your district is NOT a candidate if your district has a one to one implementation of Chromebooks or shared Chromebooks where the users login directly with their GAFE credentials. *note future work by Google will permit individual account login to a Chromebook with integrated SSO (Azure Active Directory username and passwords).

Setup GAFE to Office 365 SSO Just reiterating, this configuration is for authentication from GAFE to Office 365 only. Account provisioning is not addressed at this time. Step 1: Setup GAFE with the district email suffix domains (district.kyschools.us & stu.district.kyschools.us). Verify ownership of domains with support from the KETS Service Desk. * Best practice: set up district.kyschools.us as the main (primary) GAFE space and add the stu.district.kyschools.us as a domain in the Admin Console of the primary space. Step 2: In the GAFE Admin Console create a temporary GAFE SuperAdmin account. Note: This account does not need to be created in Active Directory or Office 365; it s only used for the initial configuration in Google Apps. If the GAFE SuperAdmin account does have a corresponding Office 365 account you will still login with the GAFE password, even after the implementations of SSO to Office 365. Step 3: After Steps 1 and 2 are complete, you are ready to schedule a time to implement the integration. You will need to specify when you'd like the setup to be completed. If you are already leveraging GAFE, your users will have a different login experience immediately following implementation of Azure Active Directory Single Sign-On (SSO). To ensure someone from the KETS Messaging and Directory Services (MADS) team is able to complete the work at your desired time, give a minimum of 24 hours of lead time. The KETS Service Desk Ticket should be submitted as an email to: ketshelp@education.ky.gov with the following subject line: GAFE Integration to Azure AD. Contained within the body of the email should be the GAFE SuperAdmin account username, BUT not the

password. Upon connecting on the scheduled integration time, the account password can be shared. Depending on the current district Google Apps implementation, there may need to be notifications of change of login for to all users. Step 4: The MADS team will log in to your GAFE Admin Console. Configurations will be set for Single Sign On (SSO) with Azure Active Directory and an Azure Security Certificate will be imported. Step 5: Upon notification of completion from the KETS Service Desk, the temporary GAFE SuperAdmin account should be removed/disabled/deleted. Step 6: Ensure a 1:1 match with user accounts (UPN or SMTP address) in Active Directory and Google Apps for Education Admin Console. Step 7: Test authentication with GAFE URLS (e.g. https://drive.google.com/a/stu.district.kyschools.us ) Step 8: If Chromebook authentication is desired, make sure devices are enrolled in the district Admin Console. Step 9: Configure Single Sign On for Chrome Devices. District Implementation For Single Sign-On, Google suggests sending users directly to the drive property first. The implementation or login URL would be: https://drive.google.com/a/district.kyschools.us If the desire is for a user to land on the UserHub, the implementation or login URL would be the pass-through Microsoft Online Login page. When a user completes successful login, the browser passes them on to the Google UserHub where all of the Google Apps properties are listed.

ios implementation download the specific Google Apps (Drive, etc.) and sign in. User will need to sign in twice the initial time the app is authorized. Chromebook Guest user implementation instruct users to use Chromebook as a guest user, then direct them to a login or launch button to Google Apps, per above instructions.

Supportability Framework It is important to note and understand the supportability structures around the integration of 3 rd Party applications with Azure Active Directory. The following notes should be consulted prior to initializing the integration request (Step 2 from above). The KDE has a Microsoft Premier Support Agreement that incorporates all integration activity within Azure Active Directory. If authentication into Office 365 webmail (https://portal.office.com) is successful, then Azure Active Directory is functioning as designed. In a general sense, Office 365 is leveraging Azure Active Directory from the same mechanism as additional 3 rd party applications (e.g. Google Apps for Education). If the issue does not require Microsoft assistance (authentication into Office 365 is successful), district IT support should begin consulting the 3 rd party app support channels. See the below triage and flow chart. For support details for Google Apps For Education (GAFE) see the Support tab inside of the GAFE Admin Console.

District IT 3 rd Party Service provider (Google, etc) KETS Service Desk Premier Support Issue Detected District Contacts Service Provider District Triage Multi User Issue? Y Issue requires Microsoft assistance N Y District opens KETS Service Desk ticket and assigns to MADS N End District Troubleshooting Issue Resolved? N MADS Opens Premier Case with Microsoft Issue Resolved? N Y End Y End End

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information