Ask Slashdot: Single Sign-On To Link Google Apps and Active Directory? 168
trazom28 writes to seek answers to a problem faced by many businesses (and, as in this case, schools): "We are looking for a solution to a single sign on to coordinate Active Directory and Google. You can sync the passwords easily enough with Google Apps Password Sync, but ideally we would like the students and staff to be able to sign in once and be done. Additionally, the Google login requires the @domain.k12.wi.us so it would have to take the AD username, pass it along and tack on the domain to log into Google.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
Re: (Score:2, Insightful)
Because the responses are unhelpful, and maybe people won't be as likely to post them if they feel like they'll be redundant.
Re:What the hell (Score:4, Insightful)
And this is why we can't have nice things.
Re:What the hell (Score:4, Insightful)
And this is why we can't have nice things.
No, it's precisely why we DO have nice things.
99% of the time the best answer is not the one you want.
Re: (Score:2)
73.4% of stats are made up 99% of the time.
Re: (Score:2)
[Made-up or mis-remembered, hand-waved citation needed]
Re: (Score:2)
A Oh fuck, I hate driving, the roads are full of holes!
Yup, very helpful and applicable.
Re: (Score:1)
Re: (Score:2)
If you are turning north from I-10 onto I-65, or if you are on I-65 and turning east or west onto I=10, you have already failed at taking the quickest was from anywhere to anywhere else.
Just looking at a map, while coming from North I-65 and going east on I-10 looks kinda nonsensical, going west doesn't look so bizarre. You'd use that connection when going from Montgomery to New Orleans, wouldn't you?
Or is that just a general comment that those roads tend to be congested, and are never the quickest way (no matter which way you turn?)
Re: (Score:2)
Q How do you get to I-65 from I-10?
If you're heading East on I-10, take the I-65 interchange in Mobile. If you're heading West on I-10, you can take U.S. 90, 98 or 45, depending on where you're going.
Re: (Score:2, Informative)
It's not unhelpful to point out that some students may not be willing to create a Google account, so any process that requires such is non-viable as a widespread solution.
Re: (Score:3)
The OP is using GAFE, Google Apps for Education. It's basically the same as the commercial offering. Students don't create their own accounts, the district likely has a process in place that automatically provisions the new accounts using something like Google Apps Directory Sync or a 3rd party app that uses the Google Accounts APIs. Kids / employees go to sign in and it Just Works. (TM).
(Source: I've implemented GAFE / GADS at a K-12.)
Re: (Score:1)
Students don't create their own accounts
Gah. The point isn't about who pushes the button to create the damn thing.
Think again. If my child was in such a system, I would not allow a creation of an advertising-firm account on their behalf, regardless of who actually pushes the final button. It's the account that is unacceptable, not the specifics of who creates it.
Re:What the hell (Score:5, Informative)
Well, GAFE accounts aren't normal google accounts. Function wise they're the same, but Google promotes that they are not put through the same advertising analytics that normal gmail accounts are.
From the GAFE website [google.com]:
Google Apps is governed by a detailed Privacy Policy, which ensures we will not inappropriately share or use personal information placed in our systems. Google complies with applicable US privacy law, and the Google Apps Terms of Service can specifically detail our obligations and compliance with FERPA (Family Educational Rights and Privacy Act) regulations. Google is registered with the US-EU Safe Harbor agreement, which helps ensure that our data protection compliance meets European Union standards for educational institutions
FERPA is the big stickler here, as google really couldn't offer the service without being FERPA compliant, and they couldn't run Google Business as usual and still be FERPA compliant.
Now, as to whether you choose to believe their claims, that's another story, but you're approaching it with a lot of misinformation, it seems.
Re: (Score:3)
Overall, I was quite pleased at the presentation my children's school gave to the parents that attended "technology night". Privacy concerns, including advertising data, were among the many topics discussed, and the district and school representatives who were involved in the deployment had just about all the answers we needed. In our particular case, it turns out that all of the tracking data is restricted to authorized district personnel, and can be/is destroyed on-demand (after a student leaves the sch
Re: (Score:1)
Students don't create their own accounts
Gah. The point isn't about who pushes the button to create the damn thing.
Think again. If my child was in such a system, I would not allow a creation of an advertising-firm account on their behalf, regardless of who actually pushes the final button. It's the account that is unacceptable, not the specifics of who creates it.
Well, school boards like mine don't have much cash, you're kids would get what we give them or they can do all their work on paper. GAFE does has advertising disabled.
Re: (Score:2)
I'm not sure why you're hung up on PHI, I didn't see anything related to medical information mentioned yet. But that's what business agreements are for: to share or pass the blame.
Re:What the hell (Score:4, Funny)
"And what guarantees will you make against PHI disclosure?"
You can't fully diclose PHI = its an irrational number
= ( 1 + 5 ) / 2
Re: (Score:1)
(1 + sqrt(5))/2
Re: (Score:2)
"And what guarantees will you make against PHI disclosure?"
You can't fully diclose PHI = its an irrational number
= ( 1 + 5 ) / 2
3?
Re: (Score:2)
Kudos, moderators (Score:2)
From the summary: "Please hold off on any Google haters, that's a different discussion for a different forum."
From msobkow: "People will post what they post, regardless of your control-freak fantasies of filtering out the chaf."
From the mods (to msobkow): "-1 Offtopic".
Nicely done, mods. That's what moderation is for: not to suppress ideas you disagree with, or silence people you dislike, but to keep conversations on topic and useful.
(And, yes, this post is off topic, but I had to say this and my ka
Re: (Score:2)
Yes, because responding to a line of the summary is clearly "off topic". *LMAO*
I could see rating my post as "troll" for the inflammatory language, but "off topic"?
How much more "on topic" does one get than responding directly to the summary or article?
ADFS (Score:2, Insightful)
http://www.lmgtfy.com/?q=ADFS+Google+Apps
Re: (Score:2)
All this single sign on, integrated sign on, etc. is a nightmare for people who prefer to browse the web without the entire fucking world knowing where you've been and what you've been up to. Ya...I know...porn. But there are many other things you wouldn't want people to be snooping into.
Your bank or other financial services.
You medical information or interests.
What social media you frequent
etc.
There's nothing worse than going to some website and seeing, "Hi John Dough!". If I want to log in, I'll log in. O
Re: (Score:1)
LDAP won't work? (Score:5, Informative)
https://support.google.com/a/a... [google.com]
I googled it.
Re: (Score:2)
You are correct that AD manages the passwords. We can setup GAPS very easily (Google Apps Password Sync) and already utilize GADS (Google Active Directory Sync). So there is *that* LDAP integration. Haven't missed it. The actual question was SSO, not password sync, and they aren't the same thing. I want a student (elementary, for example, ages 4-10 or so) to be able to use one small login, and be able to access all they need to.
I was able to and have been doing research prior to posting, and after post
Re: (Score:2)
Re:LDAP won't work? (Score:4, Informative)
If you run AD, you should probably run ADFS. http://msdn.microsoft.com/en-u... [microsoft.com]
It runs on top of AD, and provides standards-based SSO for users. It works nicely with Google Apps.
It's a bit complex to set up, but there are articles like http://www.huggill.com/2012/01... [huggill.com] . Basically, ADFS is a SAML Identity Provider and Google Apps is a SAML Service Provider. So when users go to log into Google using your domain, they are redirected to ADFS to log in, which validates them against AD, then redirects them back to Google. Then when they access any other service that you have SSO with, the user doesn't have to re-authenticate.
You can do the same thing with Ping Federate. If nothing else, you can get quotes from both. But if you get educational pricing from MS, ADFS is likely cheaper. ADFS doesn't cost anything (other than paying for the servers and OS) - the expensive part is buying the AD CALs for everyone doing SSO, which you already have.
Re: (Score:2)
What will you do for the students who don't want Google tracking everything they do?
I especially like the fact that he's posted the login format in the article. Should make a forced breach by China/Russia/Anonymous/AngryStudents all the easier.
login requires the @domain.k12.wi.us so it would have to take the AD username, pass it along and tack on the domain to log into Google.
Re: (Score:3)
That's the login format for schools across the country. It's not exactly a state secret.
Re: (Score:3)
School may not be a democracy, but the school also can't do whatever it pleases. Handing over information to corporations seems unacceptable to me, especially if it's a public school.
Re: (Score:2)
Public schools hand over student data to corporations and have for a long time. I've worked in multiple school districts since 1994 and I have not encountered an exception. Though it has been steadily increasing since software as a service has been hitting education channels. If you want to start your own privacy-oriented charter school, more power to you; good luck trying to get any IT, truancy or grade services/software though.
Re: (Score:2)
Public schools hand over student data to corporations and have for a long time.
Which is, of course, wrong. They also use proprietary software. Our priorities are screwed.
Re: (Score:2)
I certainly don't disagree with you. It's just hard as a school to find software or services that meet your needs that don't come with a Faustian price tag.
Re: (Score:3)
School isn't a democracy
School boards are elected.
Plus as a publicly funded, attendance is essentially mandatory (private and homeschooling alternatives aside), AND it involves children.
It should be held to the highest privacy standards.
A public school absolutely should NOT be loading advertising companies with profiles of our children. As a parent and as a taxpayer I am against it on both fronts.
I absolutely should have some say in whether my kids are served up to google.
And schools are generally pretty up
Re: (Score:1)
School isn't a democracy
School boards are elected.
Plus as a publicly funded, attendance is essentially mandatory (private and homeschooling alternatives aside), AND it involves children.
It should be held to the highest privacy standards.
A public school absolutely should NOT be loading advertising companies with profiles of our children. As a parent and as a taxpayer I am against it on both fronts.
I absolutely should have some say in whether my kids are served up to google.
And schools are generally pretty upfront and careful. I get asked for permission for pictures of our kids to appear on the school website (declined). We had to sign permission for our kids to be setup on Office 365 (as that's what their school is trying it out instead of g-apps). After a lot of consideration we elected to allow it, but monitor the kids on it closely, and are using it as a 'teaching opportunity'. But we could have declined it.
I do know of some parents who have hyper stances against their kid using the internet etc; and as far as I know the schools have always made allowances to accomodate these. Just as they allow parents to opt kids out of sex-ed, biology dissections, field trips, and any other topics that a subset of parents may find objectionable.
Your assertion that schools can ram google or anything else down our throats and we can only say, "thank you sir, please, can i have some more?" or pull our kids out of school entirely is just ridiculous.
In some cases this assertion is apt. I supervise the IT dept. for a board serving 12 schools. We are chronically underfunded and use what we can get our hands on. We use donated computers in the schools, donated servers and GAFE. Anything we can do that has no monetary cost goes into the schools. If your kid went to our schools, we honestly have no interest in catering to parents like you. Your kids get what we give them or they do without and get left behind, it's as simple as that and we can't afford to a
Re: (Score:2)
Your kids get what we give them or they do without and get left behind
Because their education will be incomplete if they don't know how to set up their G+ profile and use Hangouts? Your school is chronically underfunded and yet this is what you are teaching them?
No offense, and honestly, I doubt this is even the case. Hopefully they just use GAFE have some cloud storage for some written assignments, and to work on said written assignments in google apps, and everything else is pretty much off; and maybe a s
Re: (Score:1)
Re: (Score:2)
It was an episode of the simpsons because it's actually a thing. School systems are broke, and throwing a couple of shoe ads on the wall or selling extremely valuable classroom eyeballs seems to be what it's coming down to.
Re: (Score:2)
If a person discusses their own medical history with someone else, HIPAA does not apply. If they talk about it in public and someone overhears it and somehow uses that information, including a marketer, somehow, HIPAA has nothing to do with that.
Now, there may be an expectation of a certain amount of privacy when discussing something over email, but if that information is somehow obtained -- even by a breach of the email servers, and assuming neither server/individual is a hospital/doctor/insurer/etc or an
Not for the timid.... (Score:2)
SAML v2.0 isn't easy...are you sure the GADS isn't enough?
http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
Not for the timid.... (Score:2)
GADS is nice - we make AD changes, and on the sync, Google gets them. That part rocks. SSO itself would be ideal, however. Starting to read though and it does look like a good challenge. From what I'm reading so far, ADFS may do what is needed. Lots more research needed though before I fire anything in.
WAAD or Okta (Score:2)
Use WAAD or Okta, or learn how to setup a proper SSO environment since both platforms you mention offer excellent SSO interop.
Did you Google? (Score:1)
Google has a solution.
https://support.google.com/a/a... [google.com]
Shibboleth as your SAML2 provider (Score:1)
You should have a look at either CAS 4.0 or Shibboleth as your SAML 2 provider. Both integrate well with Open LDAP and Active Directory.
Holy Grail not needed (Score:5, Informative)
You can use Active Directory and/or OpenLDAP and then simpleSAMLphp and link to Google Apps.
We do it this way:
1) RCDevs WebADM LDAP Directory (or in your case Active Directory)
2) simpleSAMLphp There's actually a good tutorial to integrate with Google Apps here: https://simplesamlphp.org/docs... [simplesamlphp.org]
3) Google apps confitured for SAML 2.0
It took me about 15 minutes to set it up.
Any question feel free to ask.
Holy Grail not needed (Score:2)
Thank you - I'm reading though it now.
Sync or Federate (Score:2)
Why would you sync rather just allowing federation? Just consume a SAML token through AD Fed, or an OAuth token via Google.
We use CAS as our web SSO (Score:1)
Re: We use CAS as our web SSO (Score:2)
Centrify May Offer What You're Looking For (Score:4, Interesting)
Ceck out http://www.centrify.com/cloud/... [centrify.com]
Re: (Score:3)
Use Pubcookie (Score:1)
Pubcookie wiki link [wikipedia.org]
How it works [pubcookie.org]
Oh good (Score:1)
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
Don't insult Google? Sure, but your sad devotion to that ancient active directory has not helped you conjure up the solution, or given you enough clairvoyance to find the correct answer. Don't try to frighten us with your Microsoft ways, Lord_trazom28
Using SAML, you can tell Google you are anyone (Score:4, Informative)
I see a lot of people here pointing you to articles on how to set up a SAML IdP. I mean -- that is a start -- but you may still be confused on how to solve your problem. If I understand it correctly -- you want your users to be able to sign in using "username", but have "username@domain.com" passed on to Google Apps, correct?
First, if you don't know what "SAML", "IdP" or "SP" is, read this: https://developers.google.com/google-apps/sso/saml_reference_implementation
Then the process, no matter what IDP, is going to be similar.
1) Choose your SAML IDP (OpenAM? Ping? ADFS? Others?)
2) Set it up to authenticate your users using AD based on their username -- in other words it needs to match usernames/passwords that your end users provide on the login page based on the "sAMAccountName" attribute in MS AD.
3) You will need to exchange SAML metadata between Google Apps and your IdP.
4) When you import the Google Apps metadata to your IdP and configure the SP for Google Apps, configure the IDP to tell Google Apps that your username is the "mail" attribute in the Name Identifer -- or, if your mail attribute in LDAP does not have the correct @domain.com you need, then you could use the Active Directory "Attribute Editor" and just assign some random attribute the proper "Google ID" for each user. Then pass this attribute along to Google as the "Name ID"
The nice thing about ADFS is it is so closely tied with Active Directory, so step #2 kind of takes care of itself. A guide for integrating ADFS and Google Apps is here: http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
When that author gets to the part on "Select Transform an Incoming Claim from the Claim rule template drop-down:", I'd probably do it a bit differently. I'd instead do this:
* Select "Send LDAP Attributes as Claims"
* Send the "mail" attribute as outgoing claim type "Name ID" (or whatever attribute you want to use in LDAP for your Google usernames)
Using SAML, you can tell Google you are anyone (Score:2)
You are correct - having elementary students type the @domain.etc.yadda.yadda that GAFE requires can be painful for the teaching staff to work through. I appreciate your comments and information - really has given me a lot to read over and I'm thinking that may just do the trick. Thank you!
Re: (Score:2)
Glad it helps. And as I've seen some other folks mention -- if the students will be signing in to Google Apps from a machine joined to the AD domain, and they already have logged in to that machine using their Active Directory account... then you could look into using Kerberos as the authentication method on the IDP instead of using an HTTP username/password form. So then, they truly only enter in their credentials once: when they sign in to the PC. Same principles still apply for sending the Name ID to Goo
I've done this. (Score:4, Informative)
They paid $1mil for 4 servers to do the same thing.
The Holy Grail of all IT? Really? (Score:2, Insightful)
I know I'm kind of picking this apart unnecessarily, but you say, "Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT?" Why would it be one or the other, and why would this possibly be the Holy Grail of all IT?
Re: (Score:1)
I'd assumed the holy grail comment was referring to real SSO, as opposed to using the same credentials everywhere but entering them for each individual service.
The Holy Grail of all IT? Really? (Score:2)
On the education side of IT, your end users range in age from 4 to 18 (students) and then staff/adults. The simpler you can make things, and make them work, the better. For example, a teacher will have 20+ kids in the room, need to get them all signed in to AD, then signed into Google/GAFE. Depending on the age of the group, this can be extremely challenging, especially if usernames are different, and passwords are different. If they could sign in *once* with a short username, and standard password - th
Re: (Score:2)
That's kind of the point of this venture - if we can streamline the login process, that in turn would take that waste of time out of the equation and they could focus more on using the technology more effectively.
Re: (Score:2)
You shouldn't stereotype. I've been in IT for over 20 years professionally, another 10 as a hobby prior. In past lives I've been everything from NetWare Admin, support of OS/2 before and after Warp, dabbled in Unix shells, and have used and supported various flavors of Windows from it's early days. I consider myself pretty well rounded and open to suggestions and change in the IT realm. The district where I work happens to run AD. I've brought myself up to speed on it, and feel pretty comfortable with
SSO to Google Apps -- easy (Score:1)
User authenticates to machine & SSOs over to Google Apps & done. Since it seems that you're in Wisconsin, contact the IdP folks at UW-Madison: help@login.wisc.edu. They can likely assist you with setting things up.
Use CAS (Score:1)
Oracle Single Sign-on (Score:2)
Disclaimer: I work for Oracle but not in sales nor in any branch related to this product.
At the office (where I work as a senior iOS / OS X native app developer), we have Oracle SSO [oracle.com] running on all of our internally-deployed apps, including web sites, desktop apps, mobile.
OP talks of holy grail of IT so, while I dont know of alternatives, based on my experience, it's quite possible to have a decent single sign-on system.
Obviously, Oracle's offering is not free (as in beer speech) at 85$ a seat. It's best to
ADFS is the way to link AD to Google Apps (Score:1)
Have done it a couple of times and it's not that hard:
http://www.huggill.com/2012/01... [huggill.com]
You need a cloud security broker (Score:1)
MS Azure AD should do this. (Score:2)
haven't tested personally, but it looks good, and doesn't require any "roll-your-own" crap.
http://azure.microsoft.com/en-... [microsoft.com]
Re: (Score:2)
Re: (Score:2)
Off topic. Only applies to azure.
Actually no. You can use Azure AD as an extension of your own AD, and it does support 3rd party SSO against Google and other SaaS apps. This can be a good solution for organisations that can't (or don't want to) expose their own internal AD on the internet.
NetIQ Access Manager or Cloud Access (Score:2)
It's an outstanding web sso product. A few clicks and your set
Use exchange server (Score:2)
I don't understand why you're trying to use two distinct systems that were not designed to work together when there is a very easy solution already there?
The solution you're looking for will have to be custom programmed and it doesn't exist yet.
That is the answer. if you're prepared to hire a programmer or programming house to do it for you... vaya con dios.
If that were my show, I would just install an exchange server. MS haters won't like that... but if you're going with an active directory already then wh
Re: (Score:2)
I stand corrected. I still don't quite seem why anyone would bother. But since someone else did bother for whatever reason... that's great.
Again, thank you for the correction.
*tips hat*
Re: (Score:1)
Re: (Score:1)
Been there, done that. (Score:2)
Thank you - I will!
Re: (Score:2)
what Anonymous Coward just said.
Solution in search of a problem (Score:2)
In a perfect world with unlimited funding, that would be easy. It may get there eventually. For now, we need both and need to make both work.
Re: (Score:1)
The school already has AD and uses both Microsoft and Google products.
So instead of spending a few hours, one time, configuring ADFS for Google Apps, your solution is to throw almost everything out and go all in on a Google only solution?!? Awesome!
Re: (Score:2)
DeepFreeze to minimize the frequency of needing to reflash the disk images.
DeepFreeze? What is this, 2002? We dumped Faronics years ago, there's nothing it did that could not be handled by group policy and, more importantly, not giving everyone admin rights to their boxes.
Why? (Score:2)
Ok, I'll bite. Just because it was fun? Why not? Sorry if you took my hyperlink to a wikipedia article personally.