Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here.
To work with LL::NG it requires:
Attention
This part is based on SimpleSAMLPHP documentation.
As administrator, go in Google Apps control panel and click on Advanced tools:
Then select Set up single sign-on (SSO)
:
Now configure all SAML parameters:
Attention
You must check the option
Use a specific domain transmitter
to force Google Apps to send the
full entityId.
For the certificate, you can build it from the signing private key
registered in Manager. Select the key, and export it (button
Download
). This will download the public and the private key.
Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:
openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
You can now the upload the certificate (cert.pem
) on Google Apps.
Tip
You can also use the certificate instead of public key in SAML metadata, see SAML service configuration
You should have configured LL::NG as an SAML Identity Provider,
Now we will add Google Apps as a new SAML Service Provider:
New service provider
.Email
in Options
» Authentication Response
»
Default NameID format
Options
» Signature
, except
Sign SSO message
which should be to On
Metadata
, and unprotect the field to paste the following
value:<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
</SPSSODescriptor>
</md:EntityDescriptor>
Attention
Change mydomain.org (in AssertionConsumerService
markup, parameter Location
) into your Google Apps domain. Also adapt
your entityID to match the Assertion issuer: google.com/a/mydomain.org
Google Apps does not support Single Logout (SLO).
Google Apps has a configuration parameter to redirect user on a specific URL after Google Apps logout (see Google Apps control panel).
To manage the other way (LL::NG → Google Apps), you can add a dedicated logout forward rule:
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
Attention
Change mydomain.org into your Google Apps domain