Slashdot Mirror
Ask Slashdot: Single Sign-On To Link Google Apps and Active Directory?
trazom28 writes to seek answers to a problem faced by many businesses (and, as in this case, schools): "We are looking for a solution to a single sign on to coordinate Active Directory and Google. You can sync the passwords easily enough with Google Apps Password Sync, but ideally we would like the students and staff to be able to sign in once and be done. Additionally, the Google login requires the @domain.k12.wi.us so it would have to take the AD username, pass it along and tack on the domain to log into Google.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
http://www.lmgtfy.com/?q=ADFS+Google+Apps
https://support.google.com/a/a...
I googled it.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
It's not unhelpful to point out that some students may not be willing to create a Google account, so any process that requires such is non-viable as a widespread solution.
You can use Active Directory and/or OpenLDAP and then simpleSAMLphp and link to Google Apps.
We do it this way:
1) RCDevs WebADM LDAP Directory (or in your case Active Directory)
2) simpleSAMLphp There's actually a good tutorial to integrate with Google Apps here: https://simplesamlphp.org/docs...
3) Google apps confitured for SAML 2.0
It took me about 15 minutes to set it up.
Any question feel free to ask.
Why would you sync rather just allowing federation? Just consume a SAML token through AD Fed, or an OAuth token via Google.
Ceck out http://www.centrify.com/cloud/...
And this is why we can't have nice things.
And this is why we can't have nice things.
No, it's precisely why we DO have nice things.
99% of the time the best answer is not the one you want.
I see a lot of people here pointing you to articles on how to set up a SAML IdP. I mean -- that is a start -- but you may still be confused on how to solve your problem. If I understand it correctly -- you want your users to be able to sign in using "username", but have "username@domain.com" passed on to Google Apps, correct?
First, if you don't know what "SAML", "IdP" or "SP" is, read this: https://developers.google.com/google-apps/sso/saml_reference_implementation
Then the process, no matter what IDP, is going to be similar.
1) Choose your SAML IDP (OpenAM? Ping? ADFS? Others?)
2) Set it up to authenticate your users using AD based on their username -- in other words it needs to match usernames/passwords that your end users provide on the login page based on the "sAMAccountName" attribute in MS AD.
3) You will need to exchange SAML metadata between Google Apps and your IdP.
4) When you import the Google Apps metadata to your IdP and configure the SP for Google Apps, configure the IDP to tell Google Apps that your username is the "mail" attribute in the Name Identifer -- or, if your mail attribute in LDAP does not have the correct @domain.com you need, then you could use the Active Directory "Attribute Editor" and just assign some random attribute the proper "Google ID" for each user. Then pass this attribute along to Google as the "Name ID"
The nice thing about ADFS is it is so closely tied with Active Directory, so step #2 kind of takes care of itself. A guide for integrating ADFS and Google Apps is here: http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
When that author gets to the part on "Select Transform an Incoming Claim from the Claim rule template drop-down:", I'd probably do it a bit differently. I'd instead do this:
* Select "Send LDAP Attributes as Claims"
* Send the "mail" attribute as outgoing claim type "Name ID" (or whatever attribute you want to use in LDAP for your Google usernames)
They paid $1mil for 4 servers to do the same thing.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
The OP is using GAFE, Google Apps for Education. It's basically the same as the commercial offering. Students don't create their own accounts, the district likely has a process in place that automatically provisions the new accounts using something like Google Apps Directory Sync or a 3rd party app that uses the Google Accounts APIs. Kids / employees go to sign in and it Just Works. (TM).
(Source: I've implemented GAFE / GADS at a K-12.)
School may not be a democracy, but the school also can't do whatever it pleases. Handing over information to corporations seems unacceptable to me, especially if it's a public school.
School isn't a democracy
School boards are elected.
Plus as a publicly funded, attendance is essentially mandatory (private and homeschooling alternatives aside), AND it involves children.
It should be held to the highest privacy standards.
A public school absolutely should NOT be loading advertising companies with profiles of our children. As a parent and as a taxpayer I am against it on both fronts.
I absolutely should have some say in whether my kids are served up to google.
And schools are generally pretty upfront and careful. I get asked for permission for pictures of our kids to appear on the school website (declined). We had to sign permission for our kids to be setup on Office 365 (as that's what their school is trying it out instead of g-apps). After a lot of consideration we elected to allow it, but monitor the kids on it closely, and are using it as a 'teaching opportunity'. But we could have declined it.
I do know of some parents who have hyper stances against their kid using the internet etc; and as far as I know the schools have always made allowances to accomodate these. Just as they allow parents to opt kids out of sex-ed, biology dissections, field trips, and any other topics that a subset of parents may find objectionable.
Your assertion that schools can ram google or anything else down our throats and we can only say, "thank you sir, please, can i have some more?" or pull our kids out of school entirely is just ridiculous.
Well, GAFE accounts aren't normal google accounts. Function wise they're the same, but Google promotes that they are not put through the same advertising analytics that normal gmail accounts are.
From the GAFE website:
Google Apps is governed by a detailed Privacy Policy, which ensures we will not inappropriately share or use personal information placed in our systems. Google complies with applicable US privacy law, and the Google Apps Terms of Service can specifically detail our obligations and compliance with FERPA (Family Educational Rights and Privacy Act) regulations. Google is registered with the US-EU Safe Harbor agreement, which helps ensure that our data protection compliance meets European Union standards for educational institutions
FERPA is the big stickler here, as google really couldn't offer the service without being FERPA compliant, and they couldn't run Google Business as usual and still be FERPA compliant.
Now, as to whether you choose to believe their claims, that's another story, but you're approaching it with a lot of misinformation, it seems.
"And what guarantees will you make against PHI disclosure?"
You can't fully diclose PHI = its an irrational number
= ( 1 + 5 ) / 2
Overall, I was quite pleased at the presentation my children's school gave to the parents that attended "technology night". Privacy concerns, including advertising data, were among the many topics discussed, and the district and school representatives who were involved in the deployment had just about all the answers we needed. In our particular case, it turns out that all of the tracking data is restricted to authorized district personnel, and can be/is destroyed on-demand (after a student leaves the school, etc).
As I'm not directly involved (just a parent of a couple of students), I can't say what has been implemented thus far, but I don't believe they're doing any AD-to-Google SSO; from what I can tell, they are managed independently. Unfortunately, I can't help in this regard.
Overall, for those concerned about privacy around student accounts, I encourage you to reach out to your school and ask for a copy of their "terms of service", both for the students using the accounts, as well as for the school/district usage of Google's services. From what I've seen of the local implementation here, I'd say they have kids' privacy (at least from an advertising perspective) at the forefront of their policies.
Don Head
UNIX/Linux Administrator
That's the login format for schools across the country. It's not exactly a state secret.
{} ------ When I think of a good sig, I'll put it here