Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Google Apps, AD et SSO

ayi

We're a small shop running Google Apps (Enterprise) for our email needs. Love it. Internally, we're using Windows AD (2003). No complaints there either.

J'aimerais like to get certains method of SSO going entre AD et Google Apps such that AD is le seulement place mon folks have to manage (and periodically CHANGE!) passwords.

J'ai looked over google's "tfm"s in le past, mais I guess I juste ne assez get it. Has anyone does this? If so, would you be willing to share how? Can it be done sans a huge amount of complexity et expense?

ayi

Il y a a couple things you can do avec Google Apps.

Vous pouvez setup a SAML server connected to votre AD network et alors setup Google to authentication votre Google Apps access against le SAML server. Nous avons used a php application called simpleSAMLphp parce que we déjà have servers setup to run PHP et we have developers avec php skills. The drawback of using a SAML solution alone is that you can seulement login to accounts through le web. This means you ne peut pas access votre mailbox through imap/pop, et you ne peut pas login to Google talk avec tout old XMPP client.

Using SAML does pas automatically créez unccounts in le Google Apps domain. You aussi will probably need a tool that will synchronize accounts for that you can use le Google Apps Directory sync tool. Cela va allow you to créez unccounts, mais it encore will pas sync passwords par défaut parce que le Windows Password hashes are pas reversible et Google ne peut pas do anything avec them.

C'est possible to use something like PasswdHk to intercept password changes in votre AD et alors store le password in a format (unsalted sha1) that le Google directory sync utility can use to définissez le Google Apps passwords. But this does ajoutez un bit of security risk depuis Google will seulement accept unsalted md5 ou sha1 password hashes through its Provisioning API, et to sync avec Google, you basically must store these hashes. If you are to use this, it is très important to keep these hashes secure.

Hmmph. You had me tous excited about
SAML jusqu'à le bit about imap/pop.
That'd kill tous le folks using
windows mobile et blackberry clients,
ne voudrait pas it? Any clever alternatives
there?

If you are willing to accept le risk of storing le password hashes alors are able to combine le SSO et le directory syncing together to get a working system.

As an alternative someone could develop a Intranet portal où users in votre domain would allez dans initialize leur Google account et définissez le password for le Google account. I had considered developing something like this, mais n'a pas pu get mon coworkers to agree that it was le way to go.

The basic idea is this, build a webapp that

Lives on votre intranet et authenticates against votre active directory
Has a function that will take le username et password that le user used to login to le intranet site et get tout autre information you need depuis le AD, et alors use le Google Provisioning API to add/mettez à jour le users account.

Building le tool really ne devrait pas be too difficult, I had estimated to hack out something basic it would seulement take 12-16 hours of development time. The advantage of this solution is that it gives you 100% Google Apps functionality, le downside is that it somewhat inconveniences le end-user.