Google Apps Deployment Guide

Transcription

CENTRIFY DEPLOYMENT GUIDE
Google Apps Deployment Guide
Abstract
Centrify provides mobile device management and single sign-on services that you can trust and count on as a
critical component of your corporate identity and access infrastructure. Our thorough approach to availability,
reliability, scalability, security and privacy ensures that you can depend on Centrify as a trusted partner and
provider.
CENTRIFY GOOGLE APPS DEPLOYMENT GUIDE
Information in this document, including URL and other Internet Web site references, is subject to change without
notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses,
logos, people, places and events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2015 Centrify Corporation. All rights reserved.
Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure
and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft,
Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
© 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
2
Contents
Overview .............................................................................................................................................. 4 Prerequisites ........................................................................................................................................ 4 Configuring Google Apps ..................................................................................................................... 5 HOW TO PREPARE YOUR GOOGLE APPS AND GOOGLE APPS DEVELOPER ACCOUNT: ............................................ 5 Optional: Advanced Google Apps configurations ................................................................................ 8 MAPPING SPECIFIC GOOGLE APPS TO GOOGLE OUS........................................................................................... 9 Creating Google OUs ............................................................................................................................................. 9 Mapping Applications to OUs ............................................................................................................................... 11 Configuring Google Apps in CIS ........................................................................................................ 16 CONFIGURING ROLES FOR APP MAPPING IN CIS ................................................................................................ 16 Optional: Advanced Role mapping – multiple CIS Roles for multiple Google OUs ............................................. 20 CONFIGURING GOOGLE APPS IN CIS ................................................................................................................ 23 CONFIGURING AUTOMATED ACCOUNT PROVISIONING INTO GOOGLE APPS .......................................................... 27 User Provisioning Advanced CIS Role to Google OU mapping........................................................................... 30 ENABLING SINGLE SIGN ON IN GOOGLE APPS ................................................................................................... 34 Provisioning new Users...................................................................................................................... 37 Configuring Chrome Book .................................................................................................................. 45 PREREQUISITES ............................................................................................................................................... 45 CONFIGURE SAML SINGLE SIGN-ON FOR CHROME DEVICES ............................................................................. 45 Overview .............................................................................................................................................................. 45 Requirements ....................................................................................................................................................... 45 Optional: ............................................................................................................................................................... 47 ENABLE IWA NEGOTIATION USES HTTPS ........................................................................................................ 48 ENROLLING YOUR CHROMEBOOK ...................................................................................................................... 49 Appendix ............................................................................................................................................ 50 HOW TO DETERMINE YOUR PRIMARY GOOGLE DOMAIN ...................................................................................... 50 CONTACT CENTRIFY ......................................................................................................................................... 52 © 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
3
Overview
Google Apps has become one of the most popular on-demand business software in the market and your
organization took the plunge to migrate to Google Apps. You need to assign licenses to your end users
automatically, and give them single sign-on. You’re worried about Chrome Book device management and BYOD,
and how to manage all that for on-premises apps and cloud apps, too. You’ve got a few questions, and are looking
for answers. Without SSO user productivity is greatly affected, without Multi Factor Authentication the risk of
exposing inappropriate access increases and without automated account provisioning / de-provisioning IT has to
manage all accounts manually.
Fortunately, Centrify Identity Service (CIS) provides a solution. CIS for Google Apps offers a complete, robust, and
easy-to-use Active Directory (AD) or CIS Cloud Directory integration with Google Apps, providing a seamless
authentication experience for Google Apps users and an easy to use intuitive Administrative interface for IT staff to
automate the process of on- and off-boarding employees with day one productivity.
With CIS you can ensure that users have seamless access via single sign-on (SSO) and that their Google Apps
accounts are created, updated, and deactivated on an integrated cycle with the rest of the systems in IT.
Centrify Identity Service enables integration with any web application that also enables administrators to:






SSO via SAML or CIS form fill to all Google Apps: Gmail, Docs, Sites, Calendar, Analytics, etc.
Provide secure SSO with Active Directory integration
Automatically provision/de-provision users & apps by Active Directory group
Demonstrate compliance through usage auditing
Increase application ROI with seat-utilization reporting
Secure Application Access via MFA from unauthorized systems or locations
Prerequisites

Your Google Apps account must be a business account and must have administrative privileges in Google
Apps.


You need your own publicly resolvable domain registered and verified with Google Apps.
A signed certificate. You can either download one from the Cloud Manager or use your organizations
trusted certificate.
4
Configuring Google Apps
How to prepare your Google Apps account:
These instruction assumes you already have a Google Apps Account with a verified domain.
Tip Open the Google Admin Console https://admin.google.com and the CIS Cloud Manager
https://cloud.centrify.com/manage in two different browser windows because you will be switching back and forth
between consoles to copy and paste values in between.
1.
Log on to your Google Apps account as admin
2.
Click on Users
5
3.
Make sure you have at least one OU within your Organization. If you don’t have an OU add one by clicking on
the three dots next to your domain name and click on Add sub organization.
Tip It makes it easier if the Organization name you are adding here matches the Role Name(s) from the CIS
Cloud Manager. That allows for consistent Role Mapping in CIS Cloud Manager and you’ll end up with a 1:1
CIS Role to Google Apps OU mapping.
4.
Enter a name for the new OU and click on Create Organization
6
5.
Your Screen should look like this.
6.
Repeat steps 3 – 5 until all OU’s needed have been added
7
Optional: Advanced Google Apps configurations
Google Apps allows to configure Organizational Units that have different access rights to applications. For example,
one group of users has access only to mail, calendar and contacts. Another group of users has access to mail,
calendar, contacts and google drive.
CIS role mapping and automated account provisioning allows to map roles from CIS to Google Apps OUs and
automatically provision users to OUs in Google Apps to assign an application or a set of applications to that newly
provisioned user. Additionally, CIS integration with Active Directory allows to map AD groups to Roles in CIS, the
benefit is that Active Directory groups are directly mapped to applications in Google Apps and any user who is
added to the group in Active Directory will automatically have access to the applications assigned to the OU.
8
Mapping specific Google Apps to Google OUs
Creating Google OUs
NOTE: Google Apps allows only to be Member of one single OU. You can’t assign the same user to two different
OUs.
To map users to specific apps you first must configure the OUs in Google Apps and assign applications to the OUs
as applicable for your organizational structure.
1.
Log on to the Google Apps administrative portal https://admin.google.com/AdminHome?fral=1
2.
Click on Users
3.
Click on the three dots next to your root OU and click on Add sub organization
9
4.
Enter a Name for your OU
5.
Enter a Description, for example which applications will be assigned to the OU
6.
Click Create Organization
7.
Repeat steps 3 – 6 until you created all OUs needed
10
Mapping Applications to OUs
1.
Click on the three lines next to Users in the upper left corner and click on Apps
2.
Within the Apps Settings dialog click on Apps
11
There are two ways you can configure / restrict access to a specific application.
a)
You can turn access OFF at the Master setting and re-enable access on the OU level by overriding the
Master setting
b)
You can leave the Master setting ON and turn access OFF at the OU level
In our example we will turn access OFF at the Master setting and re-enable access at the OU level which is easier if
you have a lot of Organizational Units and only one or two are granted access to a specific application.
3.
Click on the three dots next to the Application you want to assign to a specific application and select ON for
some organizations
12
4.
At the Master setting turn access OFF by clicking the blue slider button
5.
Click Apply
6.
Click Turn OFF
13
7.
Once automatically returned to the OU selection dialog select the OU for which you want to re-enable access to
the application and select Override
8.
Turn Access back on for the single OU by clicking on the slider button
9.
Click Apply
14
10. Confirm the Notification, click on Turn On
11. Repeat steps 4 – 10 until all applications are configured
12. The next step is to map CIS Roles to Google OUs, subsequently resulting in Users who are members of the
CIS role having access to the Apps assigned to the OU they are provisioned into
15
Configuring Google Apps in CIS
Tip Open… the Google Admin Console https://admin.google.com,
the Google Developers Console https://console.developers.google.com
the CIS Cloud Manager https://cloud.centrify.com/manage
in three different browser windows because you will be switching back and forth between consoles to copy and
paste values in between.
Configuring Roles for App mapping in CIS
The first step is to configure Roles in CIS that will be used to grant access to and to provision users into Google
Apps. Since Google Apps allows to restrict access to certain apps or administrative settings it is suggested to plan
out at this point how to assign certain Google Apps or administrative rights to roles
16
1.
Click on Roles
2.
Click on Add Roles
3.
Enter a Name and Description for your Role
17
4.
Click on Members
5.
Click on Add
6.
In the Add Members dialog search for a User or a User Group
7.
Select the User or User Group
8.
Click Add
18
9.
Click Save
19
Optional: Advanced Role mapping – multiple CIS Roles for multiple Google OUs
To assign specific Google Apps or Administrative rights to selected users or user groups you must create more than
one Role in CIS.
1.
Click on Roles
2.
Click on Add Roles
3.
Enter a Name for your Role
4.
Enter a description for your Role. The Role name does not need to match the Google Apps OU name. For
illustration purpose I used the same name.
20
5.
Select Members in the left menu tree
6.
Click on Add
7.
In the Add Members dialog search for a User or a User Group
8.
Select the User or User Group
9.
Click on Add
21
10. Click on Save
11. Repeat step 2 – 10 until you have configured all Roles with users assigned and mapped to your Google OUs
22
Configuring Google Apps in CIS
1.
Log into the Centrify Identity Service Cloud Manager at https://cloud.centrify.com/manage
2.
Click on Apps
3.
Click on Add Web Apps
4.
In the Add Web Apps dialog search for Google Apps
5.
Click on Add for Google Apps SAML + Provisioning
6.
Confirm any popup dialogs
7.
Click on Close
23
8.
The Google Apps configuration dialog will open automatically
9.
Under Application Settings enter your Primary Google Apps Domain
To find out your primary Google Apps Domain name please refer to the Appendix in this document
10. Make note of the Sign-In and Sign-out page URL (Copy and paste into a text document. You will need these
URLs later in the Google Apps Enabling SSO configuration)
11. Download the Signing Certificate to your PC. You will need this Certificate later in the Google Apps Enabling
SSO configuration
12. Optionally you can use your own Certificate. Upload your own Certificate under Additional Options
24
13. Click on Save
14. Click on User Access and select a Role or Roles. Members of the Role selected here will have access to
Google Apps if they have a valid account provisioned in Google Apps.
25
15. Optionally you can configure Policies for your Application. It is beyond the scope of this document to detail how
to configure advanced Policies. Please refer to the online help for more details about Policy configuration.
16. Optionally you can configure Account Mapping.
NOTE: Account Mapping will not be configurable when Provisioning is configured / overwritten when
Provisioning will be enabled.
Click on Account Mapping to configure how the login information is mapped to the applications user
accounts. Here you configure which attribute field from the user account store in the user database the Centrify
Identity Service will be using to be submitted as username to Google Apps. The default value is “mail”, which
means that the Centrify Identity Service will use the email address configured in the user database and submit
that as username to Google Apps. In most cases the default value will be used, but the configuration options
are as follows:
a.
Use the following Directory Service field to supply the user name: Use this option if the user
accounts are based on the directory service user attributes. For example, you can specify an Active
Directory field such as mail or userPrincipalName.
b.
Everybody shares a single user name: Use this option if you want to share access to an account but
not share the user name and password. For example, some people share an application developer
account.
c.
Use Account Mapping Script: You can customize the user account mapping here by supplying a
custom JavaScript script.
For example, you could use the following line as a script:
LoginUser.Username = LoginUser.Get('mail')+'.ad';
The above script instructs the cloud service to set the login user name to the user’s mail attribute value
in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is
[email protected] then the cloud service uses [email protected]. For more
information about writing a script to map user accounts, see the SAML application scripting guide.
17. Optionally on the Advanced page, you can edit the script that generates the SAML assertion if needed. In most
cases, you don’t need to edit this script. It is beyond the scope of this document to detail Advanced SAML
assertion scripting. For more information, see the SAML application scripting guide.
26
Configuring automated account provisioning into Google Apps
Please make sure you completed all steps to prepare your Google Apps Account before proceeding. Please
complete all steps in Configuring Google Apps before proceeding
18. Click on Provisioning
19. Select Enable provisioning for this application
20. Enter your Administrators email
21. Enter the App Name
22. Enter the Destination. The Destination is your (Primary) Google Domain name.
23. Upload the Service Account Certificate. The Service Account Certificate (P12 key) can be generated in your
Google Apps Service Account. Please refer to the Configuring Google Apps section on how to generate your
P12 certificate
24. Enter the password for the P12 Google Apps Service Account Certificate. Default value is notasecret
25. Enter the Service Account ID. The Service Account ID is the email from your Google Apps Service Account.
Please refer to the Appendix how to create a Google Apps Service account
26. Click on Verify
27
27. Once verified additional configuration options will become available below the Verify button.
Scroll down to configure the account information behavior applicable for your Organization.
When "Overwrite" is selected, account information in the target application will be updated (this includes
removing data if the target account has a value for a user attribute that is not available from the Cloud).
When "Keep" is selected, the Provisioning process will not update (or create) an account in the target
application if the target application already has an account with the same principal name.
28. Under Role Mappings click on Add
28
29. Select the CIS Roles that you want to map to your Google OUs and click on Add. Click Done once you
configured all your Role Mappings
NOTE: Step 29 – 30 are showing generic Role mapping. All users will have access to all Google Apps. Steps
31 – 37 show multiple role mappings.
29
30. Click Save
User Provisioning Advanced CIS Role to Google OU mapping
31. To map users to your previously created Google OUs that have specific access rights assigned Click on Add
30
32. Select the CIS Role from the Role dropdown menu
33. Select the Destination OU in Google Apps from the Destination Organizational Unit dropdown menu
31
34. Click on Add
35. Click on Done
32
36. Repeat step 27 – 31 until you completed your CIS Role to Google Apps OU mapping
37. Click Save
33
Enabling Single Sign On in Google Apps
1.
Log on to your Google Apps Admin Console
2.
Click on Security
3.
Click on Setup Single Sign-on (SSO)
34
4.
Copy and paste the Sign-in page URL and Sign-out page URL from CIS Cloud Manager (Step 10 in Centrify
Identity Service basic Google Apps configuration)
Paste the Sign-in URL into both the Sign-in URL and Change Password URL field
.
35
5.
Click on Chose file and select the Certificate downloaded in step 7 in Centrify Identity Service basic Google
Apps configuration
6.
Click Upload
7.
Click Save Changes
36
Provisioning new Users
The last step is adding new Users to either Active or CIS Cloud Directory to be provisioned to Google Apps. In our
example we will focus on the CIS Cloud Directory. If an Active Directory User Group is member of the CIS Role that
is configured for automated account provisioning any new user added to the User Group in Active Directory will be
automatically provisioned to Google Apps
37
1.
Log on to the CIS Cloud Manager https://cloud.centrify.com
2.
Click on Users
3.
Click on Add User
38
4.
Fill out all the appropriate fields and click Create User
39
5.
Click on Roles
6.
Select the Role mapped to your Google Apps OU that you want to assign to that newly added user
7.
In the Roles dialog click on Members
8.
Click on Add
40
9.
In the Add Members dialog search for the newly added user
10. Select the User
11. Click Add
12. Click Save
41
13. Log out from the CIS Cloud Manager and log back into https://cloud.centrify.com/my using the credentials of the
newly added user
14. Click on the Google Apps tile
15. If this is the first time you are logging on as the new User you will need to provide a phone number for MFA
42
16. Enter the verification code received from Google
17. Accept the terms and conditions
43
18. You are now logged on to Google apps with a limited set of applications available.
44
Configuring Chrome Book
Prerequisites
 You must have at least one Chrome Book Management License
http://www.google.com/intl/en/chrome/business/devices/
Configure SAML Single Sign-On for Chrome devices
Overview
Security Assertion Markup Language (SAML) Single Sign-On (SSO) support for Chrome devices allows users to
sign in to a Chrome device with the same authentication mechanisms that you use within the rest of your
organization. Their passwords can remain within your organization's Identity Provider (IdP). Signing in is very similar
to signing in to a Google Apps account from a browser via SAML SSO with Google Apps. However, because a user
is signing in to a device, there are several additional considerations.
Requirements




1.
Chrome device running Chrome OS version 36 or higher
Domain configured for SAML SSO for Google Apps
SAML URL using HTTPS not HTTP
Chrome management licenses
In the Google Admin console, click Device Management
45
2.
Click Chrome management
3.
Click User Settings
46
4.
Under Single Sign-On, choose Enable SAML-based Single Sign-On for Chrome Devices from the drop-down
menu
5.
Click Save Changes
Optional:

To allow Single Sign-On users to log in to internal websites and cloud services that rely on the same
Identity Provider on subsequent sign-ins to their Chrome device, you can enable SAML SSO cookies.

Go to Device management > Chrome management > Device Settings > Single Sign-On Cookie
Behavior. Learn more about this setting
47
Enable IWA Negotiation Uses HTTPS
If you have a Cloud Connector configured make sure you have enabled the “IWA Negotiation Uses HTTPS Port
(requires certificate be trusted)” or the URL returned from CIS starts with a http header and will not be trusted
1.
Log on to the CIS Cloud Manager
2.
Click on Settings
3.
Click on Cloud Connector
4.
Select a Cloud Connector
5.
Select IWA Negotiation Uses HTTPS Port (requires certificate be trusted)
48
Enrolling your Chromebook
Manual enrollment
Manually enroll the device before anyone (including administrators) signs in to the Chrome device. If a user signs in
before you enroll the device, the device ignores the Admin console settings, and you must wipe the device and
restart the enrollment process.
1.
Turn on the Chrome device and follow the onscreen instructions until you see the sign on screen. Do not sign
in yet.
2.
Before signing in to the Chrome device, press the key combination Ctrl-Alt-E. The enrollment screen appears.
3.
Enter the Google Apps admin username and password, or the username and password for an existing Google
Apps user on your account that has eligibility to enroll.
NOTE: You can control which users can enroll in your domain through this policy.
4.
Click Enroll device. You will receive a confirmation message that the device has been successfully enrolled.
5.
At the next prompt log on to the Chromebook using a Google Apps username and password
6.
If you enabled SAML SSO for Chromebooks you will be redirected to the company’s portal logon page the first
time you log on after you enter the username without being prompted for a password. At the company portal
page use the same username and password to log on
7.
You now have access to all your Google Apps
By default, devices are enrolled into the top-level user organization of your domain. To enroll a device into a specific
organizational unit, change the Device Enrollment user setting to Place Chrome device in user organization. Also,
if you have a policy set that controls which organizational units can enroll, make sure it’s set so that your desired
users can enroll. Learn more about enrollment controls.
49
Appendix
How to determine your Primary Google Domain
1.
Log on to your Google Apps account with an Administrator account
2.
In the Admin Console click on More Controls (more options will appear)  click on Domains
3.
Click on Add Remove Domains
50
4.
The Domain listed on the left is your Primary Domain
51
Contact Centrify
Centrify strengthens enterprise security by managing and securing user identities from cyber threats. As
organizations expand IT resources and teams beyond their premises, identity is becoming the new security
perimeter. With our platform of integrated software and cloud-based services, Centrify uniquely secures and unifies
identity for both privileged and end users across today’s hybrid IT world of cloud, mobile and data center. The result
is stronger security and compliance, improved business agility and enhanced user productivity through single signon. Over 5000 customers, including half of the Fortune 50 and over 80 federal agencies, leverage Centrify to secure
identities.
Learn more at www.centrify.com.
Santa Clara, California: +1 (669) 444-5200
Email:
[email protected]
EMEA:
Web:
www.centrify.com
+44 (0) 1344 317950
Asia Pacific:
+61 1300 795 789
Brazil:
+55 11 3958 4876
Latin America:
+1 305 900 5354
Copyright © 2005-2015 Centrify Corporation.
52

Google Apps Deployment Guide

Transcription

Similar documents

ChiroMatrix – Published in Chiropractic

De Arte Bene Moriendi