Discussion:
Setting up Google Apps SSO
Dave Perry
2014-08-19 13:29:44 UTC
Permalink
I know this has been done, so hoping some of you on here have managed it.

I've been given the admin login, and the domain is verified. What I can't figure out is:

- What the signin page and signout page URLs should be

- Should the idp.crt (based on when we last updated the IdP) in idphome/credentials be the file I upload to them? I can't remember the key

Thanks in advance

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *


**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
Ben Branch
2014-08-19 13:52:46 UTC
Permalink
I haven't configure Shibboleth for Google Apps, but I found this on the Google Dev site.

https://developers.google.com/google-apps/help/articles/shibboleth2.0

Hope this helps.

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | ***@uco.<mailto:***@uco.>edu | www.uco.edu<http://www.uco.edu/>

"I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know." - Socrates

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Dave Perry
Sent: Tuesday, August 19, 2014 8:30 AM
To: users-***@public.gmane.org
Subject: Setting up Google Apps SSO

I know this has been done, so hoping some of you on here have managed it.

I've been given the admin login, and the domain is verified. What I can't figure out is:

- What the signin page and signout page URLs should be

- Should the idp.crt (based on when we last updated the IdP) in idphome/credentials be the file I upload to them? I can't remember the key

Thanks in advance

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

________________________________
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
________________________________
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
Cantor, Scott
2014-08-19 14:05:03 UTC
Permalink
Post by Dave Perry
I know this has been done, so hoping some of you on here have managed it.
I¹ve been given the admin login, and the domain is verified. What I can¹t
-
What the signin page and signout page URLs should be
Because those aren't SAML terms, so their approach to this sucks.

If by signin page, they mean the SSO service endpoint, that depends on the
binding. The Redirect binding endpoint is at
/idp/profile/SAML2/Redirect/SSO

There is no fully workable logout support. The information on logout in
the wiki is in the IdPEnableSLO topic.
Post by Dave Perry
Should the idp.crt (based on when we last updated the IdP) in
idphome/credentials be the file I upload to them?
Probably.

-- Scott
--
To unsubscribe from this list send an email to users-***@shibboleth.net
Dave Perry
2014-08-19 14:53:34 UTC
Permalink
It does Ben, thanks. Shame they didn't put a link to it as 'how to set this up' on the google admin page (that I could see)...

And Scott yes I've seen the logout stuff. The guide Ben linked to suggests a page telling the user what to do, so that's what I've done. I haven't bothered explaining all the scenarios to end users, if I have to I'll worry about that then.

At least I was right about which cert file to upload! How I test this I'll fret about when I've done the attribute stuff.


Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Ben Branch
Sent: 19 August 2014 14:53
To: Shib Users
Subject: RE: Setting up Google Apps SSO

I haven't configure Shibboleth for Google Apps, but I found this on the Google Dev site.

https://developers.google.com/google-apps/help/articles/shibboleth2.0

Hope this helps.

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | ***@uco.<mailto:***@uco.>edu | www.uco.edu<http://www.uco.edu/>

"I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know." - Socrates

From: users-bounces-***@public.gmane.org<mailto:users-bounces-***@public.gmane.org> [mailto:users-bounces-***@public.gmane.org] On Behalf Of Dave Perry
Sent: Tuesday, August 19, 2014 8:30 AM
To: users-***@public.gmane.org<mailto:users-***@public.gmane.org>
Subject: Setting up Google Apps SSO

I know this has been done, so hoping some of you on here have managed it.

I've been given the admin login, and the domain is verified. What I can't figure out is:

- What the signin page and signout page URLs should be

- Should the idp.crt (based on when we last updated the IdP) in idphome/credentials be the file I upload to them? I can't remember the key

Thanks in advance

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

________________________________
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
________________________________
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
David Gersic
2014-08-19 16:23:21 UTC
Permalink
Post by Dave Perry
It does Ben, thanks. Shame they didn't put a link to it as 'how to set this
up' on the google admin page (that I could see)...
If you're new to Google Apps for Education, get used to it. Their docs, generally, suck. At least the ones you can find do. You'll find lots of docs that are "end user" level stuff, telling you how great their services are. You'll not find much technical doc, and what you do find won't be helpful, or right.
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
David Gersic
2014-08-19 16:20:40 UTC
Permalink
Post by Dave Perry
I know this has been done, so hoping some of you on here have managed it.
I did it here a couple of years ago. I don't recall it being all that hard to set up. I remember following this doc (https://developers.google.com/google-apps/help/articles/shibboleth2.0), which was imperfect but I didn't have trouble working around the bits that weren't quite right.
Post by Dave Perry
- What the signin page and signout page URLs should be
Sign in page is the URL to your IdP.

Sign out page is the URL you want them sent to when they "log out" in Google.
Post by Dave Perry
- Should the idp.crt (based on when we last updated the IdP) in
idphome/credentials be the file I upload to them? I can't remember the key
IIRC, yes, you upload the idp.crt and you download the Google metadata and install it in to your IdP.
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...