Integrating ESOE with Google Apps for your domain

Authors
Bradley Beddoes

Applicable versions
Beta 2

Overview

Google offers a service called "Google Apps for your domain" which exposes various functionality to your users such as GMail, Google Calendar, Google documents and other services. Through our work with Google engineering ESOE is able to assist in this process by acting as an identity broker between Google and your enterprise allowing true single sign on to these applications.

To enable this functionality you will require an educational or premium Google service.

Required attributes

It is a requirement of using the Google service that you expose the email addresses of your users to the ESOE locally. By default this will be resolved from an attribute called 'mail', ensure using ESOE Manager that your attribute resolution is setup correctly.

Provisioning Accounts

ESOE does not yet automatically provision accounts to Google on your behalf, you will need to do this in advance either manually or using the Google provisioning API.

Exporting crypto

To communicate with Google you need to have available the ESOE public key in der format.

To retrieve navigate to the directory esoe.data/config and perform the following actions:

  1. Read the esoe.config file and make note of the values for keyAlias-1 and keystorePassword-1 this will be randomly assigned data that won't mean much to you.
  2. execute the following command "keytool -export -keystore ./esoeKeystore.ks -alias <keyAlias-1> -file google.crt" (ensure you replace keyAlias-1 with its value above)
  3. You will be prompted for the password, enter the value of keystorePassword-1

Configuring Google Apps

As an administrator in the Google apps domain you will have an option called 'Advanced Tools' within this you should see an option for 'Set up single sign-on (SSO)'

  1. Tick the Enable Single Sign On box
  2. Set Sign-in page URL to https://<host>/sso e.g https://esoe.intient.com/sso
  3. Set Sign-out page URL to https://<host>/logout e.g https://esoe.intient.com/logout
  4. Set Change password URL to the URL users use to manage their identity at your enterprise.
  5. Set Network masks to 0-255.0.0.0/1
  6. Click save
  7. For Verification certificate click browse and locate your google.crt file (you may need to copy this from the ESOE to your local machine), then click upload

Google is now configured, you can logout of the administrator account.

Testing

To test the account simply navigate to http://partnerpage.google.com/<yourdomain>, you should be redirected to the ESOE login service then back to Google successfully.

Feedback

We aim to continually improve this documentation set to make it as easy as possible for new users and seasoned users alike to setup Google integration. We welcome any comments or additions you may have on the ESOE users mailing list at any time.