Slashdot Mirror
Ask Slashdot: Single Sign-On To Link Google Apps and Active Directory?
trazom28 writes to seek answers to a problem faced by many businesses (and, as in this case, schools): "We are looking for a solution to a single sign on to coordinate Active Directory and Google. You can sync the passwords easily enough with Google Apps Password Sync, but ideally we would like the students and staff to be able to sign in once and be done. Additionally, the Google login requires the @domain.k12.wi.us so it would have to take the AD username, pass it along and tack on the domain to log into Google.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
http://www.lmgtfy.com/?q=ADFS+Google+Apps
https://support.google.com/a/a...
I googled it.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
Because the responses are unhelpful, and maybe people won't be as likely to post them if they feel like they'll be redundant.
SAML v2.0 isn't easy...are you sure the GADS isn't enough?
http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
Use WAAD or Okta, or learn how to setup a proper SSO environment since both platforms you mention offer excellent SSO interop.
Google has a solution.
https://support.google.com/a/a...
It's not unhelpful to point out that some students may not be willing to create a Google account, so any process that requires such is non-viable as a widespread solution.
You should have a look at either CAS 4.0 or Shibboleth as your SAML 2 provider. Both integrate well with Open LDAP and Active Directory.
You can use Active Directory and/or OpenLDAP and then simpleSAMLphp and link to Google Apps.
We do it this way:
1) RCDevs WebADM LDAP Directory (or in your case Active Directory)
2) simpleSAMLphp There's actually a good tutorial to integrate with Google Apps here: https://simplesamlphp.org/docs...
3) Google apps confitured for SAML 2.0
It took me about 15 minutes to set it up.
Any question feel free to ask.
Why would you sync rather just allowing federation? Just consume a SAML token through AD Fed, or an OAuth token via Google.
What will you do for the students who don't want Google tracking everything they do?
I especially like the fact that he's posted the login format in the article. Should make a forced breach by China/Russia/Anonymous/AngryStudents all the easier.
login requires the @domain.k12.wi.us so it would have to take the AD username, pass it along and tack on the domain to log into Google.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
Google plays well with it and AD can be used as its back end. https://wiki.jasig.org/display...
Ceck out http://www.centrify.com/cloud/...
Nope. I'm willing to insult people as many times as it takes. I'm sure after the 597th time they'll realize I'm right.
"First they came for the slanderers and i said nothing."
And this is why we can't have nice things.
What you want is Pubcookie. I've configured Kerberos SSO across a network before and found pubcookie at a different job. Its a little tricky at first, possibly because of some of the thin or confusing documentation but its very good. Its also Free.
Pubcookie wiki link
How it works
Good leaders run toward problems, bad leaders hide from them.
And this is why we can't have nice things.
No, it's precisely why we DO have nice things.
99% of the time the best answer is not the one you want.
73.4% of stats are made up 99% of the time.
I see a lot of people here pointing you to articles on how to set up a SAML IdP. I mean -- that is a start -- but you may still be confused on how to solve your problem. If I understand it correctly -- you want your users to be able to sign in using "username", but have "username@domain.com" passed on to Google Apps, correct?
First, if you don't know what "SAML", "IdP" or "SP" is, read this: https://developers.google.com/google-apps/sso/saml_reference_implementation
Then the process, no matter what IDP, is going to be similar.
1) Choose your SAML IDP (OpenAM? Ping? ADFS? Others?)
2) Set it up to authenticate your users using AD based on their username -- in other words it needs to match usernames/passwords that your end users provide on the login page based on the "sAMAccountName" attribute in MS AD.
3) You will need to exchange SAML metadata between Google Apps and your IdP.
4) When you import the Google Apps metadata to your IdP and configure the SP for Google Apps, configure the IDP to tell Google Apps that your username is the "mail" attribute in the Name Identifer -- or, if your mail attribute in LDAP does not have the correct @domain.com you need, then you could use the Active Directory "Attribute Editor" and just assign some random attribute the proper "Google ID" for each user. Then pass this attribute along to Google as the "Name ID"
The nice thing about ADFS is it is so closely tied with Active Directory, so step #2 kind of takes care of itself. A guide for integrating ADFS and Google Apps is here: http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
When that author gets to the part on "Select Transform an Incoming Claim from the Claim rule template drop-down:", I'd probably do it a bit differently. I'd instead do this:
* Select "Send LDAP Attributes as Claims"
* Send the "mail" attribute as outgoing claim type "Name ID" (or whatever attribute you want to use in LDAP for your Google usernames)
They paid $1mil for 4 servers to do the same thing.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
I know I'm kind of picking this apart unnecessarily, but you say, "Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT?" Why would it be one or the other, and why would this possibly be the Holy Grail of all IT?
All this single sign on, integrated sign on, etc. is a nightmare for people who prefer to browse the web without the entire fucking world knowing where you've been and what you've been up to. Ya...I know...porn. But there are many other things you wouldn't want people to be snooping into.
Your bank or other financial services.
You medical information or interests.
What social media you frequent
etc.
There's nothing worse than going to some website and seeing, "Hi John Dough!". If I want to log in, I'll log in. Otherwise, mind your own business.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
The OP is using GAFE, Google Apps for Education. It's basically the same as the commercial offering. Students don't create their own accounts, the district likely has a process in place that automatically provisions the new accounts using something like Google Apps Directory Sync or a 3rd party app that uses the Google Accounts APIs. Kids / employees go to sign in and it Just Works. (TM).
(Source: I've implemented GAFE / GADS at a K-12.)
[Made-up or mis-remembered, hand-waved citation needed]
User authenticates to machine & SSOs over to Google Apps & done. Since it seems that you're in Wisconsin, contact the IdP folks at UW-Madison: help@login.wisc.edu. They can likely assist you with setting things up.
Q How do you get to I-65 from I-10?
A Oh fuck, I hate driving, the roads are full of holes!
Yup, very helpful and applicable.
Politics; n. : A religion whereby man is god.
School may not be a democracy, but the school also can't do whatever it pleases. Handing over information to corporations seems unacceptable to me, especially if it's a public school.
From the summary: "Please hold off on any Google haters, that's a different discussion for a different forum."
From msobkow: "People will post what they post, regardless of your control-freak fantasies of filtering out the chaf."
From the mods (to msobkow): "-1 Offtopic".
Nicely done, mods. That's what moderation is for: not to suppress ideas you disagree with, or silence people you dislike, but to keep conversations on topic and useful.
(And, yes, this post is off topic, but I had to say this and my karma won't notice the hit.)
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
School isn't a democracy
School boards are elected.
Plus as a publicly funded, attendance is essentially mandatory (private and homeschooling alternatives aside), AND it involves children.
It should be held to the highest privacy standards.
A public school absolutely should NOT be loading advertising companies with profiles of our children. As a parent and as a taxpayer I am against it on both fronts.
I absolutely should have some say in whether my kids are served up to google.
And schools are generally pretty upfront and careful. I get asked for permission for pictures of our kids to appear on the school website (declined). We had to sign permission for our kids to be setup on Office 365 (as that's what their school is trying it out instead of g-apps). After a lot of consideration we elected to allow it, but monitor the kids on it closely, and are using it as a 'teaching opportunity'. But we could have declined it.
I do know of some parents who have hyper stances against their kid using the internet etc; and as far as I know the schools have always made allowances to accomodate these. Just as they allow parents to opt kids out of sex-ed, biology dissections, field trips, and any other topics that a subset of parents may find objectionable.
Your assertion that schools can ram google or anything else down our throats and we can only say, "thank you sir, please, can i have some more?" or pull our kids out of school entirely is just ridiculous.
I'm not sure why you're hung up on PHI, I didn't see anything related to medical information mentioned yet. But that's what business agreements are for: to share or pass the blame.
I'd assumed the holy grail comment was referring to real SSO, as opposed to using the same credentials everywhere but entering them for each individual service.
Students don't create their own accounts
Gah. The point isn't about who pushes the button to create the damn thing.
Think again. If my child was in such a system, I would not allow a creation of an advertising-firm account on their behalf, regardless of who actually pushes the final button. It's the account that is unacceptable, not the specifics of who creates it.
If a person discusses their own medical history with someone else, HIPAA does not apply. If they talk about it in public and someone overhears it and somehow uses that information, including a marketer, somehow, HIPAA has nothing to do with that.
Now, there may be an expectation of a certain amount of privacy when discussing something over email, but if that information is somehow obtained -- even by a breach of the email servers, and assuming neither server/individual is a hospital/doctor/insurer/etc or an employee of such -- HIPAA does not somehow magically apply. Just because it is medical information, it is not immediately protected by HIPAA.
It was an episode of the simpsons because it's actually a thing. School systems are broke, and throwing a couple of shoe ads on the wall or selling extremely valuable classroom eyeballs seems to be what it's coming down to.
I use the Java SDK. It works! With other configuration though. But I still think you should check if that works for you.
If you are turning north from I-10 onto I-65, or if you are on I-65 and turning east or west onto I=10, you have already failed at taking the quickest was from anywhere to anywhere else.
To ensure perfect aim, shoot first and call whatever you hit the target
Because that can't happen without SSO...
Well, GAFE accounts aren't normal google accounts. Function wise they're the same, but Google promotes that they are not put through the same advertising analytics that normal gmail accounts are.
From the GAFE website:
Google Apps is governed by a detailed Privacy Policy, which ensures we will not inappropriately share or use personal information placed in our systems. Google complies with applicable US privacy law, and the Google Apps Terms of Service can specifically detail our obligations and compliance with FERPA (Family Educational Rights and Privacy Act) regulations. Google is registered with the US-EU Safe Harbor agreement, which helps ensure that our data protection compliance meets European Union standards for educational institutions
FERPA is the big stickler here, as google really couldn't offer the service without being FERPA compliant, and they couldn't run Google Business as usual and still be FERPA compliant.
Now, as to whether you choose to believe their claims, that's another story, but you're approaching it with a lot of misinformation, it seems.
"And what guarantees will you make against PHI disclosure?"
You can't fully diclose PHI = its an irrational number
= ( 1 + 5 ) / 2
On the education side of IT, your end users range in age from 4 to 18 (students) and then staff/adults. The simpler you can make things, and make them work, the better. For example, a teacher will have 20+ kids in the room, need to get them all signed in to AD, then signed into Google/GAFE. Depending on the age of the group, this can be extremely challenging, especially if usernames are different, and passwords are different. If they could sign in *once* with a short username, and standard password - then be able to dive right into what they need, we'd have more time for the teachers to do what they need to do, and less time for them to be techs. SSO has been something that's been elusive for years, both in public and private sector, and it's always *sort of* worked, but not quite, and not reliably. I hadn't looked at it for some time, but it came up again recently, hence my question to /.
{} ------ When I think of a good sig, I'll put it here
You are correct - having elementary students type the @domain.etc.yadda.yadda that GAFE requires can be painful for the teaching staff to work through. I appreciate your comments and information - really has given me a lot to read over and I'm thinking that may just do the trick. Thank you!
{} ------ When I think of a good sig, I'll put it here
Our university uses CAS SSO by JASIG. https://wiki.jasig.org/display... . It's nice because anyone can use it without having to get IT involved for their own pet projects and they never get a secret to maintain or permissions to setup like with AD or LDAP.
Overall, I was quite pleased at the presentation my children's school gave to the parents that attended "technology night". Privacy concerns, including advertising data, were among the many topics discussed, and the district and school representatives who were involved in the deployment had just about all the answers we needed. In our particular case, it turns out that all of the tracking data is restricted to authorized district personnel, and can be/is destroyed on-demand (after a student leaves the school, etc).
As I'm not directly involved (just a parent of a couple of students), I can't say what has been implemented thus far, but I don't believe they're doing any AD-to-Google SSO; from what I can tell, they are managed independently. Unfortunately, I can't help in this regard.
Overall, for those concerned about privacy around student accounts, I encourage you to reach out to your school and ask for a copy of their "terms of service", both for the students using the accounts, as well as for the school/district usage of Google's services. From what I've seen of the local implementation here, I'd say they have kids' privacy (at least from an advertising perspective) at the forefront of their policies.
Don Head
UNIX/Linux Administrator
Q How do you get to I-65 from I-10?
If you're heading East on I-10, take the I-65 interchange in Mobile. If you're heading West on I-10, you can take U.S. 90, 98 or 45, depending on where you're going.
That's the login format for schools across the country. It's not exactly a state secret.
{} ------ When I think of a good sig, I'll put it here
GADS is nice - we make AD changes, and on the sync, Google gets them. That part rocks. SSO itself would be ideal, however. Starting to read though and it does look like a good challenge. From what I'm reading so far, ADFS may do what is needed. Lots more research needed though before I fire anything in.
{} ------ When I think of a good sig, I'll put it here
Thank you - I'm reading though it now.
{} ------ When I think of a good sig, I'll put it here
Thank you - I will!
{} ------ When I think of a good sig, I'll put it here
Disclaimer: I work for Oracle but not in sales nor in any branch related to this product.
At the office (where I work as a senior iOS / OS X native app developer), we have Oracle SSO running on all of our internally-deployed apps, including web sites, desktop apps, mobile.
OP talks of holy grail of IT so, while I dont know of alternatives, based on my experience, it's quite possible to have a decent single sign-on system.
Obviously, Oracle's offering is not free (as in beer speech) at 85$ a seat. It's best to contact the sales rep to see if any bulk or student pricing apply (I do not know as I'm not in sales).
Have done it a couple of times and it's not that hard:
http://www.huggill.com/2012/01...
Public schools hand over student data to corporations and have for a long time. I've worked in multiple school districts since 1994 and I have not encountered an exception. Though it has been steadily increasing since software as a service has been hitting education channels. If you want to start your own privacy-oriented charter school, more power to you; good luck trying to get any IT, truancy or grade services/software though.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
Centrify, Ping Identity, Bit Glass and others can provide SSO capabilities between your core infrastructure (AD) and the cloud. Some include sync tools and other provide nearly full ADFS implementations. They can also provide 2FA and other authentication mechanisms. Centrify can even give you MDM (Mobile Device Management) for 802.1x like functionality. Bit Glass can do some very cool proxying that gives you DLP style water marking of stored files on the cloud. Etc etc etc.
Public schools hand over student data to corporations and have for a long time.
Which is, of course, wrong. They also use proprietary software. Our priorities are screwed.
(1 + sqrt(5))/2
haven't tested personally, but it looks good, and doesn't require any "roll-your-own" crap.
http://azure.microsoft.com/en-...
what Anonymous Coward just said.
That's a nice perspective (and one I basically agree with) but the problem that's causing all of this is how abusive everyone has been with what little anonymity (or freedoms) we've had up to this point. Of course, money is always mixed into the equation as well, but for all intents and purposes, I'm focusing on the prior right now. Everything ranging from viruses, child porn, hacking into peoples' computers, hateful comments, spam, theft, intellectual property issues, etc., etc... It's all created a vortex of hassle that's dropped the value of allowing anonymity. Don't get me wrong: I hate it, too, when some damn website greets me with my Gmail username or something associated with my musical preferences or whatever but as long as people keep acting like dicks to everyone else, spouting off anti-Semitic this, burn in hell that; we'll keep suffering the consequences for it. We've evolved into a society (and infrastructure) that focuses on the morally-lowest common denominator, but even worse is the fact that we keep approaching the same problems with a quantitative mindset. This, I personally believe, is really the ultimate problem.
That's kind of the point of this venture - if we can streamline the login process, that in turn would take that waste of time out of the equation and they could focus more on using the technology more effectively.
{} ------ When I think of a good sig, I'll put it here
You shouldn't stereotype. I've been in IT for over 20 years professionally, another 10 as a hobby prior. In past lives I've been everything from NetWare Admin, support of OS/2 before and after Warp, dabbled in Unix shells, and have used and supported various flavors of Windows from it's early days. I consider myself pretty well rounded and open to suggestions and change in the IT realm. The district where I work happens to run AD. I've brought myself up to speed on it, and feel pretty comfortable with it, but I'm not one of the "AD or Bust!" types that you may have run into in the past. Those folks just irk me :)
{} ------ When I think of a good sig, I'll put it here
In a perfect world with unlimited funding, that would be easy. It may get there eventually. For now, we need both and need to make both work.
{} ------ When I think of a good sig, I'll put it here
Ok, I'll bite. Just because it was fun? Why not? Sorry if you took my hyperlink to a wikipedia article personally.
{} ------ When I think of a good sig, I'll put it here
The school already has AD and uses both Microsoft and Google products.
So instead of spending a few hours, one time, configuring ADFS for Google Apps, your solution is to throw almost everything out and go all in on a Google only solution?!? Awesome!
Students don't create their own accounts
Gah. The point isn't about who pushes the button to create the damn thing.
Think again. If my child was in such a system, I would not allow a creation of an advertising-firm account on their behalf, regardless of who actually pushes the final button. It's the account that is unacceptable, not the specifics of who creates it.
Well, school boards like mine don't have much cash, you're kids would get what we give them or they can do all their work on paper. GAFE does has advertising disabled.
School isn't a democracy
School boards are elected.
Plus as a publicly funded, attendance is essentially mandatory (private and homeschooling alternatives aside), AND it involves children.
It should be held to the highest privacy standards.
A public school absolutely should NOT be loading advertising companies with profiles of our children. As a parent and as a taxpayer I am against it on both fronts.
I absolutely should have some say in whether my kids are served up to google.
And schools are generally pretty upfront and careful. I get asked for permission for pictures of our kids to appear on the school website (declined). We had to sign permission for our kids to be setup on Office 365 (as that's what their school is trying it out instead of g-apps). After a lot of consideration we elected to allow it, but monitor the kids on it closely, and are using it as a 'teaching opportunity'. But we could have declined it.
I do know of some parents who have hyper stances against their kid using the internet etc; and as far as I know the schools have always made allowances to accomodate these. Just as they allow parents to opt kids out of sex-ed, biology dissections, field trips, and any other topics that a subset of parents may find objectionable.
Your assertion that schools can ram google or anything else down our throats and we can only say, "thank you sir, please, can i have some more?" or pull our kids out of school entirely is just ridiculous.
In some cases this assertion is apt. I supervise the IT dept. for a board serving 12 schools. We are chronically underfunded and use what we can get our hands on. We use donated computers in the schools, donated servers and GAFE. Anything we can do that has no monetary cost goes into the schools. If your kid went to our schools, we honestly have no interest in catering to parents like you. Your kids get what we give them or they do without and get left behind, it's as simple as that and we can't afford to apologize. You suggest it is a democracy, but I'm telling you it's not. Even when you elect your board, we still do what ever we have to do to get these kids through school and get them exposed to the tech they need to know.
Your kids get what we give them or they do without and get left behind
Because their education will be incomplete if they don't know how to set up their G+ profile and use Hangouts? Your school is chronically underfunded and yet this is what you are teaching them?
No offense, and honestly, I doubt this is even the case. Hopefully they just use GAFE have some cloud storage for some written assignments, and to work on said written assignments in google apps, and everything else is pretty much off; and maybe a school email address that only can send / receive within the schools domain; parents are given the kids passwords when they sign the permission slips. Of course 365 doesn't have the equivalent of G+ etc to deal with, so that's not an issue.
That's roughly how my kids Office 365 is setup.
The point being, that one CAN do it responsibly. Or one can do absurd and ridiculous things like require the kids fill out a G+ profile, and spend class time learning and being encouraged to use hangouts to communicate... I've seen shit like that proposed.
it's as simple as that and we can't afford to apologize.
There's a lot of things kids need, but having the school load them into an advertising network, and train them how to enter their information into it is not one of them.
It's an outstanding web sso product. A few clicks and your set
I don't understand why you're trying to use two distinct systems that were not designed to work together when there is a very easy solution already there?
The solution you're looking for will have to be custom programmed and it doesn't exist yet.
That is the answer. if you're prepared to hire a programmer or programming house to do it for you... vaya con dios.
If that were my show, I would just install an exchange server. MS haters won't like that... but if you're going with an active directory already then what exactly is the beef here?
I think you should use the tech the way it is supposed to be used unless you're prepared to deal with the consequences of not doing that.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
If you are turning north from I-10 onto I-65, or if you are on I-65 and turning east or west onto I=10, you have already failed at taking the quickest was from anywhere to anywhere else.
Just looking at a map, while coming from North I-65 and going east on I-10 looks kinda nonsensical, going west doesn't look so bizarre. You'd use that connection when going from Montgomery to New Orleans, wouldn't you?
Or is that just a general comment that those roads tend to be congested, and are never the quickest way (no matter which way you turn?)
DeepFreeze to minimize the frequency of needing to reflash the disk images.
DeepFreeze? What is this, 2002? We dumped Faronics years ago, there's nothing it did that could not be handled by group policy and, more importantly, not giving everyone admin rights to their boxes.
You're missing my point. We do what we can with what we have. Of course we don't have the kids create their own profiles, we do it for them using bulk create from csv. Parents like you who have a legitimate concern about privacy, but you have to weigh that concern against your kids ability to participate in what we are going to go ahead and do anyway. I'm not trying to sound adversarial, but when the higher ups want us to implement new technology, my family depends on me to just do my damn job and ignore interfering parents. Since my board is underfunded, parental interfence isn't really an issue since the parents that care don't live where our schools are. Office 365 isn't free and as other posters have pointed out, advertising is disabled in GAFE. Let me repeat that since you don't seem to be getting the message. GAFE has advertising disabled.
I certainly don't disagree with you. It's just hard as a school to find software or services that meet your needs that don't come with a Faustian price tag.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
"And what guarantees will you make against PHI disclosure?"
You can't fully diclose PHI = its an irrational number
= ( 1 + 5 ) / 2
3?