1 / 31

Edugate Workshop

Edugate Workshop. (Google Apps intergration). Workshop Structure. Second of a series of Workshops. Introduction (previous workshop) Advanced (pilot participants) Joining the Edugate Federation (all). Workshop Content. Reminder of Federated Access Introduction to Google Apps integration

adonis
Download Presentation

Edugate Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Edugate Workshop (Google Apps intergration)

  2. Workshop Structure • Second of a series of Workshops. • Introduction (previous workshop) • Advanced (pilot participants) • Joining the Edugate Federation (all)

  3. Workshop Content • Reminder of Federated Access • Introduction to Google Apps integration • Hands-on • Connecting to Google Apps • Enabling HA • Edugate RR

  4. Objectives • Provide you with enough knowledge use your IdP to avail of SaaS. • Make your IdP part of your infrastructure

  5. Reminder Why federate? • SSO • Within the campus (with or without SAML) • Beyond the campus (bilaterally outside the campus) • Within a federation (with SAML) • Beyond a federation (inter-federation with SAML)

  6. Reminder Why federate? • Collaboration • VLE (LMS or eLearning) • Wiki • Portal • GRID / HPC • SaaS (Google Apps and others) • Other...

  7. Reminder Why federate? • Who are your federation partners? • Research Groups (cross institutional) • Shared Resources (NDLR, IReL) • Hospitals • Government R&D (ESRI, EPA) • Your campus libraries • Providers of student services (Travel Cards etc.)

  8. Reminder How to federate? • Bilaterally • Your IdP with Google’s SP My institution Google

  9. Reminder How to federate? • Multilaterally • Google • SalesForce CRM • Live@Edu Me (IdP) You (SP) Other (IdP & SP)

  10. Reminder How to federate? • As a member of a federation • This is Edugate

  11. Reminder What tools to federate? • OpenSource • Shibboleth 1.3 and 2.0+ • SimpleSAMLphp • Commercial • Ping ID • Sun Access Manager • Novell iChain • ADFS • Oracle Identity Manager / Oracle Identity Federation

  12. Reminder How to integrate? • Loose integration • Replace exisiting (Authentication) AutnN with Shibboleth AuthN. • Application adds group, role to Shibboleth ‘user’ later, and handles AuthZ

  13. Reminder • Authentication (AuthN) • Shibboleth Authentication • Web server or application • Campus SSO

  14. Reminder • Attribute handling • Attributes to release • Signed or encrypted attributes

  15. Reminder • Session Start • From portal • From target

  16. Reminder • High availability • Apache Load-balancing • DNS • Hardware device

  17. SaaS • How do avail of SaaS without adding to your identity management costs? • Synchronise accounts incl. Passwords • Synchronise accounts and use SSO • Let users ‘register’ for accounts

  18. Google Apps • How do avail of SaaS without adding to your identity management costs? • Synchronise accounts incl. Passwords or • Synchronise accounts and use SSO

  19. Google Apps • Synchronise accounts incl. Passwords 1. user logs in the web-based application using username and password issued set-up by you 2. User changes password and then confuses it with institutional password • Synchronise accounts and use SSO User logs in with institutional account on your portal, there is only one password (well almost!)

  20. Google Apps Caveats of the SSO option • IMAP passwords • Sync’ing passwords from AD (SSO problem?) • email for life • IDP failure • User familiarity • Mapping AD accounts to Google Accounts • No provisioning on-the-fly

  21. Google Apps Caveats of the SSO option • IMAP passwords • When accessing Gmail from an IMAP client, you will need an IMAP password, this can be seeded by you, but the user can change it. • IMAP users have two passwords

  22. Google Apps Caveats of the SSO option • Sync’ing passwords from AD (SSO problem?) • AD keeps passwords in binary, user can change his/her password by pressing CTRL+ALT+DEL • Changed passwords cannot be sent to Google Apps for IMAP users • This problem is not strictly an SSO problem

  23. Google Apps Caveats of the SSO option • Email for life • Google Account is accessed via SSO • Institution must maintain the users account somewhere (ideally not in the same location as staff/students)

  24. Google Apps Caveats of the SSO option • IDP failure • IdP fails –access to Google Apps stops! • Administrator disables SSO temporarily –but do users know their Google Apps password (seeded/changed) • IdP becomes a critical component –support?

  25. Google Apps Caveats of the SSO option • User familiarity • User might find it unusual to be sent to the IdP to access ‘Gmail’? • Is this phishing? • What credential do I enter, my institution or departments?

  26. Google Apps Caveats of the SSO option • Mapping AD accounts to Google Accounts • Particularly a problem for existing Google Accounts that do not follow the naming convention in the directory. • Shibboleth –ScriptedAttributeResolver • SimpleSAMLphp –attribute alter module • Can the user authenticate with a different username to the username on the Google side? • Can users reside in different directories?

  27. Google Apps Caveats of the SSO option • No provisioning on-the-fly • Accounts still have to be provisioned at Google • Wasted effort for unused accounts • Regular synchronisation needed –how often?

  28. Google Apps Benefits of the SSO option • User places more value in the credential • Reduced password resets • Strong password policy becomes realistic • Edugate services • Library will stop issuing their own credentials • A win-win • Data accuracy and protection

  29. Google Apps Setting up SSO in Google Apps • Provision (and deprovision) accounts • Google Apps Directory Sync • Enable SSO • Shibboleth, simpleSAMLphp or other.

  30. Google Apps • Provision (and deprovision) accounts • Google Apps Directory Sync Video: http://www.postini.com/webdocs/training/en/DirSync_GoogleApps/DirSync_GoogleApps.html

  31. Google Apps • Enable SSO • Shibboleth, simpleSAMLphp or other. • Shibboleth • https://shibboleth.usc.edu/docs/google-apps/ • simpleSAMLphp • http://rnd.feide.no/content/simplesamlphp-idp-google-apps-education • High Availability • Janusz Video: http://www.postini.com/webdocs/training/en/DirSync_GoogleApps/DirSync_GoogleApps.html

More Related