Contents

  1. Overview
  2. Understanding SAML-based SSO for Google Apps
  3. Configure Google Apps for Education

Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange authentication data. This can be very useful and time saving when you need to get logged in into several Google applications (Gmail, Google Apps for Education etc) and your Arbor account. Arbor provides you an entry point for single sign-on (SSO) meaning that all you have to do is to log in into your Arbor account and you will be automatically logged-in into all your Google applications.

Overview

This tutorial will guide you through setting up SSO for "Google Apps for Education" account. In this case, Google acts as the service provider. Google provide services like Gmail or mentioned apps for education. Google partners (in this case Arbor) acts as identity provider. When you try to access your Google application, you will be redirected to your Arbor account where you'll be asked to log-in if not already. Arbor will verify your identity (therefore it is identity provider) and on succsessful login you will be also logged in and redirected into your Google apps.

Understanding SAML-based SSO for Google Apps

Diagram shown bellow, ilustrates the process how user is logged in into Google apps using a partner (Arbor) identity provider SSO service. Before you can use such process, you have to register Arbor SSO endpoints with your "Google Apps for Education" account. For this you'll need administrator privileges on your Google account

Transaction steps explained:

Step Description
1 User tries to acces Google application. In order to use SSO, user will have to access customized Gmail URL (more on this later). If user has school application registered with Arbor, let say https://my.school.arbor.sc, then Gmail URL that user will try to access would be http://mail.google.com/a/my.school.arbor.sc. By supplying "my.school.arbor.sc" at the end of URL we are informing Google to look for an account with customized SSO service.
2 Google has found our accout and got customized SSO SAML parameters regarding my.school.arbor.sc. Now, Google knows where to redirect user for authentication. User is setting this URL into SAML settings page on "Google Apps for Education). More on this redirection is explained in "Configure Google Apps for education". At this point, Google generates SAML request containing timestamp, certificate, redirect URL...
3 Google will redirect browser to the partner (Arbor) SAML SSO identity provider entry point. This entry point is configured by Arbor for every school and you don't have to worry about it. Browser will redirect request to Arbor SAMl SSO entry point.
4 When redirected to Arbor SAML SSO entry point, user will be prompted with simple login form. This is in case that user is not already signed-in with Arbor account. If user is not logged-in, then he/she supplies Arbor credentials and submits the login form. If user is signed-in with Arbor, browser will automatically be redirected back to Google (step 6).
5 After submitting Arbor credentials (signing-in into Arbor account), Arbor SAML identity provider will generate SAML response. This response contains basic data about user (email), certificate used for signing XML respose and other data needed by SAML protocol. Arbor extracts Assertion Consumer Service (ACS) URl and the user's destination (RelayState parameter). No password is sent in this or any other response. Response is sent using POST method.
6 Browser gets response generated by Arbor (step 5) and now redirects user back to te Google's Assertion Consumer Service (ACS).
7 Google's ACS will verify SAML encoded by Arbor. This is done using Arbor's public key (you will get one). On succsessful verification of response ACS will redirect user to the destinaton URL.
8 User is authenticated, logged in to the Google Apps and redirected to the destination URL

Configure Google Apps for Education

Start by logging in into your Google Apps for Education account panel. You should do this with your admin account. When you'r logged in, select "Configure security settings"

Then select "Setup single sign-on". On the right side of the panel you'll see SSO settings.

Make sure to check "Setup SSO with third party identity provider" and "Use a domain specific issuer"

Now you will configure settings for third party identity provider (Arbor).

  • Setup SSO with third party identity provider: checking this option will enable SSO for your "Google Apps for Education" account.

  • Sign-in page URL: this is a SAML SSO sign-in Arbor entry point. It should look like: https://my.school.arbor.sc/saml2/auth/authenticate?as=arbor-user Make sure to replace my.school.arbor.sc with your school domain registered with Arbor. Also, parameter arbor-user is mandatory.

  • Sign-out page URL: this is Arbor SAML SSO sign-out entry point. When you want to sign-out from your Google Apps, this is where Google will redirect you and you will be signed out. Note: you will also be signed out from Arbor account as well. Your sign-out URl should look like https://my.school.arbor.sc/saml2/auth/authenticate?as=arbor-user&logout

  • Change password URL: this is something that you will not use with Google Apps and you can manage your password within Arbor account but it is mandatory setting. Just provide entry point like: https://my.school.arbor.sc/saml2/auth?change-password, again replacing my.school.arbor.sc with your actual domain.

  • Verification certificate: when you obtain certificate from the Arbor, you should upload it here. To get certificate, log in to your Arbor account and navigate to System > Api Credentials > SAML2 Settings. Copy certificate content, save it localy and then uload to your Google Apps for Education account.

  • Use a domain specific issuer: this option must be checked since Arbor is the issuer.

  • Network masks: leave this value blank.

Now you are ready to test SSO. Just navigate to http://mail.google.com/a/my.school.arbor.sc Of cource, replace my.school.arbor.sc with actual school domain registered with Google.

Bellow is an example of Arbor POST request described as step 6 in transaction setps:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c521a12351b3abbf48539eba75746b0c9197bfa3b2" Version="2.0" IssueInstant="2014-12-18T14:17:55Z" Destination="https://www.google.com/a/g.feide.no/acs" InResponseTo="kfhncllaclbidfohhhoojinnemndkolfdnojhjbm">
   <saml:Issuer>my.school.arbor.sc</saml:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:SignedInfo>
       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       <ds:Reference URI="#_c521a12351b3abbf48539eba75746b0c9197bfa3b2">
         <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <ds:DigestValue>uwlLlsiWT3SLbv3QzhxQoAbCg1M=</ds:DigestValue>
       </ds:Reference>
     </ds:SignedInfo>
     <ds:SignatureValue>MZyw9KpIANIuobwK7L5s8FynFqGwJ53Ajl2d9asS4rqhp0h0hcAx5Tg9nY35Lzl9xGou2CxaL2w3ZD4We78mBJU9RI97fC457rMH2D/fOcHC4c4s5Qq68FiCTEwBQ5AEkv/EUXcfOkHTRgN49/ih+6McKv+JWwrMA2k/dBNtSk0=</ds:SignatureValue>
     <ds:KeyInfo>
       <ds:X509Data>
         <ds:X509Certificate>MIICETCCAXoCCQC8m.....ONS4xY6Og=</ds:X509Certificate>
       </ds:X509Data>
     </ds:KeyInfo>
   </ds:Signature>
   <samlp:Status>
     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </samlp:Status>
   <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_1f14f87cc535ff6c1057158e75978b35b5f32708f5" Version="2.0" IssueInstant="2014-12-18T14:17:55Z">
     <saml:Issuer>google.com</saml:Issuer>
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#_1f14f87cc535ff6c1057158e75978b35b5f32708f5">
           <ds:Transforms>
             <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
           </ds:Transforms>
           <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
           <ds:DigestValue>0Yloen20ilG7auVdtDpIprD0CJU=</ds:DigestValue>
         </ds:Reference>
       </ds:SignedInfo>
       <ds:SignatureValue>H1TioEObM0f2wDPpQ3s2XeGRZZAaulgzUKHveMIu3S06SWT9KeIlvFIzYdKD6BCWciFL11iagTQPpf+eyQEBQxzQrA1GPOa1jafNDiOTSUeNkPjo7beCmYeRotvBphM2OQOAFGPUlL1g/YFTAGUaZXohJGFCPODdzjfHo4Njukk=</ds:SignatureValue>
       <ds:KeyInfo>
         <ds:X509Data>
           <ds:X509Certificate>MIICETCCAXoC....C4IFMONS4xY6Og=</ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </ds:Signature>
     <saml:Subject>
       <saml:NameID SPNameQualifier="google.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@my.domain</saml:NameID>
       <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml:SubjectConfirmationData NotOnOrAfter="2014-12-18T14:22:55Z" Recipient="https://www.google.com/a/g.feide.no/acs" InResponseTo="kfhncllaclbidfohhhoojinnemndkolfdnojhjbm"/>
       </saml:SubjectConfirmation>
     </saml:Subject>
     <saml:Conditions NotBefore="2014-12-18T14:17:25Z" NotOnOrAfter="2014-12-18T14:22:55Z">
       <saml:AudienceRestriction>
         <saml:Audience>google.com</saml:Audience>
       </saml:AudienceRestriction>
     </saml:Conditions>
     <saml:AuthnStatement AuthnInstant="2014-12-18T13:11:00Z" SessionNotOnOrAfter="2014-12-18T22:17:55Z" SessionIndex="_3d327db8a7653e8afcbad9b8c77557682b148c4643">
       <saml:AuthnContext>
         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
       </saml:AuthnContext>
     </saml:AuthnStatement>
   </saml:Assertion>
 </samlp:Response>