Google Apps Deployment Guide

C E N T R I F Y D E P L O Y M E N T G U I D E

Google Apps Deployment Guide

Abstract

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company,

organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2015 Centrify Corporation. All rights reserved.

Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Contents

Overview ... 4

 

Prerequisites ... 4

 

Configuring Google Apps ... 5

 

H

OW TO PREPARE YOUR

G

OOGLE

A

PPS AND

G

OOGLE

A

PPS DEVELOPER ACCOUNT

: ... 5

 

Optional: Advanced Google Apps configurations ... 8

 

M

APPING SPECIFIC

G

OOGLE

A

PPS TO

G

OOGLE

OU

S

... 9

 

Creating Google OUs ... 9 

Mapping Applications to OUs ... 11 

Configuring Google Apps in CIS ... 16

 

C

ONFIGURING

R

OLES FOR

A

PP MAPPING IN

CIS ... 16

 

Optional: Advanced Role mapping – multiple CIS Roles for multiple Google OUs ... 20 

C

ONFIGURING

G

OOGLE

A

PPS IN

CIS ... 23

 

C

ONFIGURING AUTOMATED ACCOUNT PROVISIONING INTO

G

OOGLE

A

PPS

... 27

 

User Provisioning Advanced CIS Role to Google OU mapping ... 30 

E

NABLING

S

INGLE

S

IGN

O

N IN

G

OOGLE

A

PPS

... 34

 

Provisioning new Users ... 37

 

Configuring Chrome Book ... 45

 

P

REREQUISITES

... 45

 

C

ONFIGURE

SAML

S

INGLE

S

IGN

-O

N FOR

C

HROME DEVICES

... 45

 

Overview ... 45 

Requirements ... 45 

Optional: ... 47 

E

NABLE

IWA

N

EGOTIATION

U

SES

HTTPS ... 48

 

E

NROLLING YOUR

C

HROMEBOOK

... 49

 

Appendix ... 50

 

H

OW TO DETERMINE YOUR

P

RIMARY

G

OOGLE

D

OMAIN

... 50

 

Overview

Google Apps has become one of the most popular on-demand business software in the market and your organization took the plunge to migrate to Google Apps. You need to assign licenses to your end users

automatically, and give them single sign-on. You’re worried about Chrome Book device management and BYOD, and how to manage all that for on-premises apps and cloud apps, too. You’ve got a few questions, and are looking for answers. Without SSO user productivity is greatly affected, without Multi Factor Authentication the risk of exposing inappropriate access increases and without automated account provisioning / de-provisioning IT has to manage all accounts manually.

Fortunately, Centrify Identity Service (CIS) provides a solution. CIS for Google Apps offers a complete, robust, and easy-to-use Active Directory (AD) or CIS Cloud Directory integration with Google Apps, providing a seamless authentication experience for Google Apps users and an easy to use intuitive Administrative interface for IT staff to automate the process of on- and off-boarding employees with day one productivity.

With CIS you can ensure that users have seamless access via single sign-on (SSO) and that their Google Apps accounts are created, updated, and deactivated on an integrated cycle with the rest of the systems in IT. Centrify Identity Service enables integration with any web application that also enables administrators to:



SSO via SAML or CIS form fill to all Google Apps: Gmail, Docs, Sites, Calendar, Analytics, etc.



Provide secure SSO with Active Directory integration



Automatically provision/de-provision users & apps by Active Directory group



Demonstrate compliance through usage auditing



Increase application ROI with seat-utilization reporting



Secure Application Access via MFA from unauthorized systems or locations

Prerequisites



Your Google Apps account must be a business account and must have administrative privileges in Google Apps.



You need your own publicly resolvable domain registered and verified with Google Apps.

Configuring Google Apps

How to prepare your Google Apps account:

These instruction assumes you already have a Google Apps Account with a verified domain. Tip Open the Google Admin Console https://admin.google.com and the CIS Cloud Manager

https://cloud.centrify.com/manage in two different browser windows because you will be switching back and forth

3. Make sure you have at least one OU within your Organization. If you don’t have an OU add one by clicking on the three dots next to your domain name and click on Add sub organization.

Tip It makes it easier if the Organization name you are adding here matches the Role Name(s) from the CIS Cloud Manager. That allows for consistent Role Mapping in CIS Cloud Manager and you’ll end up with a 1:1 CIS Role to Google Apps OU mapping.

5. Your Screen should look like this.

Optional: Advanced Google Apps configurations

Google Apps allows to configure Organizational Units that have different access rights to applications. For example, one group of users has access only to mail, calendar and contacts. Another group of users has access to mail, calendar, contacts and google drive.

Mapping specific Google Apps to Google OUs

Creating Google OUs

NOTE: Google Apps allows only to be Member of one single OU. You can’t assign the same user to two different

OUs.

To map users to specific apps you first must configure the OUs in Google Apps and assign applications to the OUs as applicable for your organizational structure.

1. Log on to the Google Apps administrative portal https://admin.google.com/AdminHome?fral=1 2. Click on Users

4. Enter a Name for your OU

5. Enter a Description, for example which applications will be assigned to the OU 6. Click Create Organization

Mapping Applications to OUs

1. Click on the three lines next to Users in the upper left corner and click on Apps

There are two ways you can configure / restrict access to a specific application.

a) You can turn access OFF at the Master setting and re-enable access on the OU level by overriding the Master setting

b) You can leave the Master setting ON and turn access OFF at the OU level

In our example we will turn access OFF at the Master setting and re-enable access at the OU level which is easier if you have a lot of Organizational Units and only one or two are granted access to a specific application.

4. At the Master setting turn access OFF by clicking the blue slider button

7. Once automatically returned to the OU selection dialog select the OU for which you want to re-enable access to the application and select Override

10. Confirm the Notification, click on Turn On

11. Repeat steps 4 – 10 until all applications are configured

Configuring Google Apps in CIS

Tip Open… the Google Admin Console https://admin.google.com,

the Google Developers Console https://console.developers.google.com

the CIS Cloud Manager https://cloud.centrify.com/manage

in three different browser windows because you will be switching back and forth between consoles to copy and paste values in between.

Configuring Roles for App mapping in CIS

1. Click on Roles 2. Click on Add Roles

4. Click on Members 5. Click on Add

6. In the Add Members dialog search for a User or a User Group 7. Select the User or User Group

Optional: Advanced Role mapping – multiple CIS Roles for multiple Google OUs

To assign specific Google Apps or Administrative rights to selected users or user groups you must create more than one Role in CIS.

1. Click on Roles 2. Click on Add Roles

3. Enter a Name for your Role

5. Select Members in the left menu tree 6. Click on Add

7. In the Add Members dialog search for a User or a User Group 8. Select the User or User Group

10. Click on Save

Configuring Google Apps in CIS

1. Log into the Centrify Identity Service Cloud Manager at https://cloud.centrify.com/manage

2. Click on Apps

3. Click on Add Web Apps

4. In the Add Web Apps dialog search for Google Apps 5. Click on Add for Google Apps SAML + Provisioning 6. Confirm any popup dialogs

8. The Google Apps configuration dialog will open automatically

9. Under Application Settings enter your Primary Google Apps Domain

To find out your primary Google Apps Domain name please refer to the Appendix in this document

10. Make note of the Sign-In and Sign-out page URL (Copy and paste into a text document. You will need these URLs later in the Google Apps Enabling SSO configuration)

11. Download the Signing Certificate to your PC. You will need this Certificate later in the Google Apps Enabling SSO configuration

13. Click on Save

15. Optionally you can configure Policies for your Application. It is beyond the scope of this document to detail how to configure advanced Policies. Please refer to the online help for more details about Policy configuration. 16. Optionally you can configure Account Mapping.

NOTE: Account Mapping will not be configurable when Provisioning is configured / overwritten when

Provisioning will be enabled.

Click on Account Mapping to configure how the login information is mapped to the applications user

accounts. Here you configure which attribute field from the user account store in the user database the Centrify Identity Service will be using to be submitted as username to Google Apps. The default value is “mail”, which means that the Centrify Identity Service will use the email address configured in the user database and submit that as username to Google Apps. In most cases the default value will be used, but the configuration options are as follows:

a. Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on the directory service user attributes. For example, you can specify an Active Directory field such as mail or userPrincipalName.

b. Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

c. Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script.

For example, you could use the following line as a script: LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is

[email protected] then the cloud service uses [email protected]. For more information about writing a script to map user accounts, see the SAML application scripting guide.

Configuring automated account provisioning into Google Apps

Please make sure you completed all steps to prepare your Google Apps Account before proceeding. Please complete all steps in Configuring Google Apps before proceeding

18. Click on Provisioning

19. Select Enable provisioning for this application 20. Enter your Administrators email

21. Enter the App Name

22. Enter the Destination. The Destination is your (Primary) Google Domain name.

23. Upload the Service Account Certificate. The Service Account Certificate (P12 key) can be generated in your Google Apps Service Account. Please refer to the Configuring Google Apps section on how to generate your P12 certificate

24. Enter the password for the P12 Google Apps Service Account Certificate. Default value is notasecret

25. Enter the Service Account ID. The Service Account ID is the email from your Google Apps Service Account.

Please refer to the Appendix how to create a Google Apps Service account

27. Once verified additional configuration options will become available below the Verify button. Scroll down to configure the account information behavior applicable for your Organization.

When "Overwrite" is selected, account information in the target application will be updated (this includes removing data if the target account has a value for a user attribute that is not available from the Cloud). When "Keep" is selected, the Provisioning process will not update (or create) an account in the target application if the target application already has an account with the same principal name.

29. Select the CIS Roles that you want to map to your Google OUs and click on Add. Click Done once you configured all your Role Mappings

NOTE: Step 29 – 30 are showing generic Role mapping. All users will have access to all Google Apps. Steps

30. Click Save

User Provisioning Advanced CIS Role to Google OU mapping

32. Select the CIS Role from the Role dropdown menu

34. Click on Add

Enabling Single Sign On in Google Apps

1. Log on to your Google Apps Admin Console 2. Click on Security

4. Copy and paste the Sign-in page URL and Sign-out page URL from CIS Cloud Manager (Step 10 in Centrify Identity Service basic Google Apps configuration)

5. Click on Chose file and select the Certificate downloaded in step 7 in Centrify Identity Service basic Google Apps configuration

6. Click Upload

Provisioning new Users

1. Log on to the CIS Cloud Manager https://cloud.centrify.com

5. Click on Roles

6. Select the Role mapped to your Google Apps OU that you want to assign to that newly added user

9. In the Add Members dialog search for the newly added user 10. Select the User

11. Click Add

13. Log out from the CIS Cloud Manager and log back into https://cloud.centrify.com/my using the credentials of the newly added user

14. Click on the Google Apps tile

16. Enter the verification code received from Google

Configuring Chrome Book

Prerequisites



You must have at least one Chrome Book Management License

http://www.google.com/intl/en/chrome/business/devices/

Configure SAML Single Sign-On for Chrome devices

Overview

Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows users to sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your

organization. Their passwords can remain within your organization's Identity Provider (IdP). Signing in is very similar to signing in to a Google Apps account from a browser viaSAML SSO with Google Apps. However, because a user is signing in to a device, there are several additional considerations.

Requirements



Chrome device running Chrome OS version 36 or higher



Domain configured for SAML SSO for Google Apps



SAML URL using HTTPS not HTTP



Chrome management licenses

2. Click Chrome management

4. Under Single Sign-On, choose Enable SAML-based Single Sign-On for Chrome Devices from the drop-down menu

5. Click Save Changes

Optional:



To allow Single Sign-On users to log in to internal websites and cloud services that rely on the same Identity Provider on subsequent sign-ins to their Chrome device, you can enable SAML SSO cookies.

Enable IWA Negotiation Uses HTTPS

If you have a Cloud Connector configured make sure you have enabled the “IWA Negotiation Uses HTTPS Port (requires certificate be trusted)” or the URL returned from CIS starts with a http header and will not be trusted 1. Log on to the CIS Cloud Manager

2. Click on Settings 3. Click on Cloud Connector 4. Select a Cloud Connector

Enrolling your Chromebook

Manual enrollment

Manually enroll the device before anyone (including administrators) signs in to the Chrome device. If a user signs in before you enroll the device, the device ignores the Admin console settings, and you mustwipe the deviceand restart the enrollment process.

1. Turn on the Chrome device and follow the onscreen instructions until you see the sign on screen. Do not sign in yet.

2. Before signing in to the Chrome device, press the key combination Ctrl-Alt-E. The enrollment screen appears. 3. Enter the Google Apps admin username and password, or the username and password for an existing Google

Apps user on your account that has eligibility to enroll.

NOTE: You can control which users can enroll in your domain throughthis policy.

4. Click Enroll device. You will receive a confirmation message that the device has been successfully enrolled. 5. At the next prompt log on to the Chromebook using a Google Apps username and password

6. If you enabled SAML SSO for Chromebooks you will be redirected to the company’s portal logon page the first time you log on after you enter the username without being prompted for a password. At the company portal page use the same username and password to log on

7. You now have access to all your Google Apps

Appendix

How to determine your Primary Google Domain

1. Log on to your Google Apps account with an Administrator account

2. In the Admin Console click on More Controls (more options will appear)  click on Domains

Contact Centrify

Centrify strengthens enterprise security by managing and securing user identities from cyber threats. As organizations expand IT resources and teams beyond their premises, identity is becoming the new security perimeter. With our platform of integrated software and cloud-based services, Centrify uniquely secures and unifies identity for both privileged and end users across today’s hybrid IT world of cloud, mobile and data center. The result is stronger security and compliance, improved business agility and enhanced user productivity through single sign-on. Over 5000 customers, including half of the Fortune 50 and over 80 federal agencies, leverage Centrify to secure identities.

Learn more at www.centrify.com.

Santa Clara, California: +1 (669) 444-5200 Email: [email protected]

EMEA: +44 (0) 1344 317950 Web: www.centrify.com

Asia Pacific: +61 1300 795 789

Brazil: +55 11 3958 4876

Latin America: +1 305 900 5354