14

We're a small shop running Google Apps (Enterprise) for our email needs. Love it. Internally, we're using Windows AD (2003). No complaints there either.

I'd like to get some method of SSO going between AD and Google Apps such that AD is the only place my folks have to manage (and periodically CHANGE!) passwords.

I've looked over google's "tfm"s in the past, but I guess I just don't quite get it. Has anyone does this? If so, would you be willing to share how? Can it be done without a huge amount of complexity and expense?

Chris_K
  • 3,434
  • 6
  • 41
  • 45

7 Answers7

9

There are a couple things you can do with Google Apps.

You can setup a SAML server connected to your AD network and then setup Google to authentication your Google Apps access against the SAML server. We have used a php application called simpleSAMLphp because we already have servers setup to run PHP and we have developers with php skills. The drawback of using a SAML solution alone is that you can only login to accounts through the web. This means you can't access your mailbox through imap/pop, and you can't login to Google talk with any old XMPP client.

Using SAML does not automatically create accounts in the Google Apps domain. You also will probably need a tool that will synchronize accounts for that you can use the Google Apps Directory sync tool. This will allow you to create accounts, but it still will not sync passwords by default because the Windows Password hashes are not reversible and Google can't do anything with them.

It is possible to use something like PasswdHk to intercept password changes in your AD and then store the password in a format (unsalted sha1) that the Google directory sync utility can use to set the Google Apps passwords. But this does add a bit of security risk since Google will only accept unsalted md5 or sha1 password hashes through its Provisioning API, and to sync with Google, you basically must store these hashes. If you are to use this, it is very important to keep these hashes secure.

Hmmph. You had me all excited about SAML until the bit about imap/pop. That'd kill all the folks using windows mobile and blackberry clients, wouldn't it? Any clever alternatives there?

If you are willing to accept the risk of storing the password hashes then are able to combine the SSO and the directory syncing together to get a working system.

As an alternative someone could develop a Intranet portal where users in your domain would go to initialize their Google account and set the password for the Google account. I had considered developing something like this, but couldn't get my coworkers to agree that it was the way to go.

The basic idea is this, build a webapp that

  • Lives on your intranet and authenticates against your active directory
  • Has a function that will take the username and password that the user used to login to the intranet site and get any other information you need from the AD, and then use the Google Provisioning API to add/update the users account.

Building the tool really shouldn't be too difficult, I had estimated to hack out something basic it would only take 12-16 hours of development time. The advantage of this solution is that it gives you 100% Google Apps functionality, the downside is that it somewhat inconveniences the end-user.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • Hmmph. You had me all excited about SAML until the bit about imap/pop. That'd kill all the folks using windows mobile and blackberry clients, wouldn't it? Any clever alternatives there? Maybe I'm beginning to see why this is isn't as common... – Chris_K Aug 25 '09 at 01:46
  • Thanks for the edit and the additional info. I have much to ponder now. – Chris_K Aug 25 '09 at 15:20
  • 3
    Google released a new password sync product called [Google Apps Password Sync (GAPS)](http://googleappsupdates.blogspot.com/2012/05/new-product-google-apps-password-sync.html) that should now handle this. – Zoredache Oct 02 '12 at 18:15
2

I too would love to see a better answer to this one.

I played around with Google Apps Directory Sync to sync Google users from Active Directory users. It looked swell, right up to the point where I read that AD's LDAP implementation keeps the password in a encrypted binary field, which Google's Sync tool cannot access.

Google's other SSO solution seems to turn the tables, so that Google is the authoritative source of credentials. We're not interested in that; what would happen on our LAN if our Internet access is down?

So right now my best solution is a Google Apps spreadsheet with user names & passwords, which we then export to CSV, and bulk import to Google Apps. This does not handle password changes. So far the best we have is to educate our users to change both the Google & Windows password to the same new password when Windows password policy forces a change.

  • 1
    Your comment about the Google SAML service isn't accurate (2nd para). SAML allows you to have a service on your local network do the authentication. Your AD would be the the authoritative source for authorization. What you are supposed to do is run the directory sync and the SAML integration in parallel, they aren't very useful separate. – Zoredache Aug 25 '09 at 07:06
  • Great, thank you for the correction. After your comment, I searched some more, and found this nice overview of the SAML authentication flow http://code.google.com/apis/apps/sso/saml_reference_implementation.html . –  Aug 25 '09 at 13:08
2

Here is a password filter that stores the hash in ad. http://code.google.com/p/sha1hexfltr/ It securely saves the hashes in ad. No SSO needed, No new servers needed!

1

You can use LemonLDAP::NG to do that. See http://lemonldap-ng.org/documentation/latest/applications/googleapps

1

Hmm, nobody does the SSO thing? I confess I'm a little surprised!

Just to get things rolling: I've had PingConnect suggested via other channels. Anyone used it?

Chris_K
  • 3,434
  • 6
  • 41
  • 45
0

Looks like there is Google Apps Password Sync (GAPS) for synchronising passwords to be used in combination with active directory sync. But I've not used it yet.

Alex KeySmith
  • 701
  • 2
  • 10
  • 19
0

Some products like Oracle Internet Directory + Oracle SSO (and IBM TIM/TAM) allow hooking to 3rd party systems. This means the product is configured to sync with AD, and stores credentials to every other product you ever imagine. You get a new login link which seeds the credentials to the system you want (in this case - Google Apps), and that's it.

Keep in mind it is quite complicated to get such a configuration up and running, and might also cost you some money, so it doesn't suit every orgranization.

Moshe
  • 582
  • 5
  • 9