Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Google Microsoft Security IT

Ask Slashdot: Single Sign-On To Link Google Apps and Active Directory? 168

trazom28 writes to seek answers to a problem faced by many businesses (and, as in this case, schools): "We are looking for a solution to a single sign on to coordinate Active Directory and Google. You can sync the passwords easily enough with Google Apps Password Sync, but ideally we would like the students and staff to be able to sign in once and be done. Additionally, the Google login requires the @domain.k12.wi.us so it would have to take the AD username, pass it along and tack on the domain to log into Google.

Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Single Sign-On To Link Google Apps and Active Directory?

Comments Filter:
  • ADFS (Score:2, Insightful)

    by Anonymous Coward

    http://www.lmgtfy.com/?q=ADFS+Google+Apps

  • LDAP won't work? (Score:5, Informative)

    by drakaan ( 688386 ) on Tuesday November 04, 2014 @01:50PM (#48311805) Homepage Journal

    https://support.google.com/a/a... [google.com]

    I googled it.

  • SAML v2.0 isn't easy...are you sure the GADS isn't enough?

    http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/

    • GADS is nice - we make AD changes, and on the sync, Google gets them. That part rocks. SSO itself would be ideal, however. Starting to read though and it does look like a good challenge. From what I'm reading so far, ADFS may do what is needed. Lots more research needed though before I fire anything in.

  • Use WAAD or Okta, or learn how to setup a proper SSO environment since both platforms you mention offer excellent SSO interop.

  • by Anonymous Coward

    Google has a solution.

    https://support.google.com/a/a... [google.com]

  • by Anonymous Coward

    You should have a look at either CAS 4.0 or Shibboleth as your SAML 2 provider. Both integrate well with Open LDAP and Active Directory.

  • by JosĂ© Tudela de la Rosa ( 3900535 ) on Tuesday November 04, 2014 @02:00PM (#48311909)

    You can use Active Directory and/or OpenLDAP and then simpleSAMLphp and link to Google Apps.

    We do it this way:

    1) RCDevs WebADM LDAP Directory (or in your case Active Directory)

    2) simpleSAMLphp There's actually a good tutorial to integrate with Google Apps here: https://simplesamlphp.org/docs... [simplesamlphp.org]

    3) Google apps confitured for SAML 2.0

    It took me about 15 minutes to set it up.

    Any question feel free to ask.

  • Why would you sync rather just allowing federation? Just consume a SAML token through AD Fed, or an OAuth token via Google.

  • Google plays well with it and AD can be used as its back end. https://wiki.jasig.org/display... [jasig.org]
  • by thedbp ( 443047 ) on Tuesday November 04, 2014 @02:05PM (#48311961)

    Ceck out http://www.centrify.com/cloud/... [centrify.com]

  • What you want is Pubcookie. I've configured Kerberos SSO across a network before and found pubcookie at a different job. Its a little tricky at first, possibly because of some of the thin or confusing documentation but its very good. Its also Free.

    Pubcookie wiki link [wikipedia.org]
    How it works [pubcookie.org]
  • Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.

    Don't insult Google? Sure, but your sad devotion to that ancient active directory has not helped you conjure up the solution, or given you enough clairvoyance to find the correct answer. Don't try to frighten us with your Microsoft ways, Lord_trazom28

  • by bsquizzato ( 413710 ) on Tuesday November 04, 2014 @02:20PM (#48312079)

    I see a lot of people here pointing you to articles on how to set up a SAML IdP. I mean -- that is a start -- but you may still be confused on how to solve your problem. If I understand it correctly -- you want your users to be able to sign in using "username", but have "username@domain.com" passed on to Google Apps, correct?

    First, if you don't know what "SAML", "IdP" or "SP" is, read this: https://developers.google.com/google-apps/sso/saml_reference_implementation

    Then the process, no matter what IDP, is going to be similar.
    1) Choose your SAML IDP (OpenAM? Ping? ADFS? Others?)
    2) Set it up to authenticate your users using AD based on their username -- in other words it needs to match usernames/passwords that your end users provide on the login page based on the "sAMAccountName" attribute in MS AD.
    3) You will need to exchange SAML metadata between Google Apps and your IdP.
    4) When you import the Google Apps metadata to your IdP and configure the SP for Google Apps, configure the IDP to tell Google Apps that your username is the "mail" attribute in the Name Identifer -- or, if your mail attribute in LDAP does not have the correct @domain.com you need, then you could use the Active Directory "Attribute Editor" and just assign some random attribute the proper "Google ID" for each user. Then pass this attribute along to Google as the "Name ID"

    The nice thing about ADFS is it is so closely tied with Active Directory, so step #2 kind of takes care of itself. A guide for integrating ADFS and Google Apps is here: http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/

    When that author gets to the part on "Select Transform an Incoming Claim from the Claim rule template drop-down:", I'd probably do it a bit differently. I'd instead do this:
    * Select "Send LDAP Attributes as Claims"
    * Send the "mail" attribute as outgoing claim type "Name ID" (or whatever attribute you want to use in LDAP for your Google usernames)

    • You are correct - having elementary students type the @domain.etc.yadda.yadda that GAFE requires can be painful for the teaching staff to work through. I appreciate your comments and information - really has given me a lot to read over and I'm thinking that may just do the trick. Thank you!

      • Glad it helps. And as I've seen some other folks mention -- if the students will be signing in to Google Apps from a machine joined to the AD domain, and they already have logged in to that machine using their Active Directory account... then you could look into using Kerberos as the authentication method on the IDP instead of using an HTTP username/password form. So then, they truly only enter in their credentials once: when they sign in to the PC. Same principles still apply for sending the Name ID to Goo

  • I've done this. (Score:4, Informative)

    by Havokmon ( 89874 ) <rick&havokmon,com> on Tuesday November 04, 2014 @02:27PM (#48312115) Homepage Journal
    I was InfoSec at a Fortune 500 company that moved to Google Apps and the Security rep for the email migration. SSO and account verification was to accomplished via SAML - so we could restrict non-exempt employees and consultants, etc. Not having worked with it before, I setup SimpleSAMLphp [simplesamlphp.org] on my Windows laptop using my personal domain on Google. It took me about 40 minutes to get my local AD credentials to auth to my domain on Google.

    They paid $1mil for 4 servers to do the same thing.

  • I know I'm kind of picking this apart unnecessarily, but you say, "Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT?" Why would it be one or the other, and why would this possibly be the Holy Grail of all IT?

    • I'd assumed the holy grail comment was referring to real SSO, as opposed to using the same credentials everywhere but entering them for each individual service.

    • On the education side of IT, your end users range in age from 4 to 18 (students) and then staff/adults. The simpler you can make things, and make them work, the better. For example, a teacher will have 20+ kids in the room, need to get them all signed in to AD, then signed into Google/GAFE. Depending on the age of the group, this can be extremely challenging, especially if usernames are different, and passwords are different. If they could sign in *once* with a short username, and standard password - th

  • This is fairly easy:
    1. Setup a Shibboleth IdP (www.shibboleth.net)
    2. Configure it to do Kerberos (https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler) and configure the browser to behave https://wiki.shibboleth.net/co... [shibboleth.net]
    3. Federate with Google Apps

    User authenticates to machine & SSOs over to Google Apps & done. Since it seems that you're in Wisconsin, contact the IdP folks at UW-Madison: help@login.wisc.edu. They can likely assist you with setting things up.

  • Our university uses CAS SSO by JASIG. https://wiki.jasig.org/display... [jasig.org] . It's nice because anyone can use it without having to get IT involved for their own pet projects and they never get a secret to maintain or permissions to setup like with AD or LDAP.
  • Disclaimer: I work for Oracle but not in sales nor in any branch related to this product.

    At the office (where I work as a senior iOS / OS X native app developer), we have Oracle SSO [oracle.com] running on all of our internally-deployed apps, including web sites, desktop apps, mobile.

    OP talks of holy grail of IT so, while I dont know of alternatives, based on my experience, it's quite possible to have a decent single sign-on system.

    Obviously, Oracle's offering is not free (as in beer speech) at 85$ a seat. It's best to

  • Have done it a couple of times and it's not that hard:
    http://www.huggill.com/2012/01... [huggill.com]

  • Centrify, Ping Identity, Bit Glass and others can provide SSO capabilities between your core infrastructure (AD) and the cloud. Some include sync tools and other provide nearly full ADFS implementations. They can also provide 2FA and other authentication mechanisms. Centrify can even give you MDM (Mobile Device Management) for 802.1x like functionality. Bit Glass can do some very cool proxying that gives you DLP style water marking of stored files on the cloud. Etc etc etc.
  • haven't tested personally, but it looks good, and doesn't require any "roll-your-own" crap.

    http://azure.microsoft.com/en-... [microsoft.com]

    • by eWarz ( 610883 )
      Off topic. Only applies to azure.
      • by Jahta ( 1141213 )

        Off topic. Only applies to azure.

        Actually no. You can use Azure AD as an extension of your own AD, and it does support 3rd party SSO against Google and other SaaS apps. This can be a good solution for organisations that can't (or don't want to) expose their own internal AD on the internet.

  • It's an outstanding web sso product. A few clicks and your set

  • I don't understand why you're trying to use two distinct systems that were not designed to work together when there is a very easy solution already there?

    The solution you're looking for will have to be custom programmed and it doesn't exist yet.

    That is the answer. if you're prepared to hire a programmer or programming house to do it for you... vaya con dios.

    If that were my show, I would just install an exchange server. MS haters won't like that... but if you're going with an active directory already then wh

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...