If you are using Google Apps for your emails in your company, there is a way to integrate this applications in your LemonLDAP::NG SSO. This is done with SAML2 protocol. In that case, the Google Apps will be an SAML service provider.
As a communication is done between Google servers and your LemonLDAP server, your SSO should be reachable from Internet.
The aim of this post is not to describe the setup of a Google Apps, please read Google documentation if needed.
You should notice that this installation is possible even with a Free Google Apps account!
In order to use SAML protocol, LL::NG uses the perl lasso library which is not packaged by default in Debian. To install it (the repository are compatible with Squeeze):
# vim /etc/apt/source.list.d/entrouvert.list
deb http://deb.entrouvert.org/ lenny main
deb-src http://deb.entrouvert.org/ lenny main
# wget -O - -q http://deb.entrouvert.org/entrouvert.gpg | apt- key add -
# apt-get update
# apt-get install liblasso3-perl
# service apache2 restart
In LL::NG manager:
- General Parameters => Issuer Module => SAML => Activation : On
- SAML2 Service=> NameID Format => Email : mail
- SAML2 Service => Security parameters => Signature => Private key => Generate
- SAML2 Service => Security parameters => Encryption => Private key => Generate
- SAML2 Service => Organization => Display Name / Name / URL (for information)
You should then add an SAML service provider:
- SAML service provider => New service provider
- SAML service provider => your_service_name => Metadata
Be sure to change the CHANGE_ME !
- SAML service provider => your_service_name > Options =>Authentication response => Default NameID format : Email
- SAML service provider => your_service_name > Options => Signature : Everything deactivated except “Sign SSO message”
You should then create a certificate for Google to be able to handle the SAML exchange:
- SAML2 Service => Security parameters => Signature => Private key => Download this file (lemonldap.key)
$ openssl req -new -key lemonldap.key -out lemonldap.csr
$ openssl x509 -req -days 3650 -in lemonldap.csr -signkey lemonldap.key -out lemonldap.pem
Google Apps configuration for SSO
You should connect to the administration dashboard with a Super-Admin account (Address http://www.google.com/a/CHANGE_ME)
In Advanced settings => SSO :
- Check Enable SSO
- Sign-in page URL : http://auth.changeme.com/saml/singleSignOn
- Sign-out page URL : http://auth.changeme.com/?logout=1
- Change password URL : http://auth.changeme.com
- Verification certificate : send previously generated certificate (lemonldap.pem)
Connexion to Google Apps
The SAML integration between Google Apps and LemonLDAP::NG should be done. If you try to connect to your Google Apps account, you should be automaticaly redirected to LL::NG if you don’t have any active session. If you do have a session, you are automatically loged-in to your Google Apps.
If you have any troubles, you are always able to authenticate yourself on this url : http://www.google.com/changeme.com
You need to have the mail attribute of your LDAP directory declared on your Google Apps. We will see on a further post how to sync your LDAP directory with your Google Apps using Google Apps Directory Sync.