| <body> |
| |
| <center> |
| Google Authentication Adaptor Deployment |
| </center> |
| |
| Starting point (aka Requirements):<br><ul> |
| <li> Have a Google domain that you can administer |
| <li> Have Java JRE 1.6u27 or higher on computer that runs adaptor |
| <li> Get binary (Java jar file) |
| </ul> |
| |
| <br> |
| |
| 4 steps to deployment:<ol> |
| <li> Get your instance of the application a key from Google |
| <li> Administer domain, adding application's key and giving application permissions |
| <li> Configure your adaptor by creating an adaptor-config.properties file |
| <li> Configure your GSA -- including LDAP |
| </ol> |
| |
| <br> |
| |
| Step 1 Alternative A -- Get your instance of the application a key from Google.<br> |
| <ul> |
| <li>Create an API project in the Google APIs Console (https://code.google.com/apis/console/) |
| <li>Select the API Access tab in your API Project, click Create an OAuth 2.0 client ID, and |
| follow the prompts to create an Installed Application Type with required access credentials. |
| At the end of this creation process you should have a Client ID and Client secret. |
| </ul> |
| |
| <br> |
| |
| Step 1 Alternative B -- Use your Google Apps Domain's Client ID and Client secret.<br> |
| <ul> |
| <li> Login to your domain. Goto Advanced tools > Authentication > Manage OAuth domain key |
| <li> Record your OAuth consumer key and OAuth consumer secret. These are equivalent to the |
| Client ID and Client secret. |
| <li> Make sure that the Enable this consumer key checkbox on Oauth consumer key is checked. |
| |
| <br> |
| Note: Alternative B may is simpler than Alternative A, but has been flaky. |
| <br> |
| Note: Allow access to all APIs checkbox doesn't work as expected. |
| </ul> |
| |
| <br> |
| |
| Step 2 -- Administer domain, adding application's key and giving application permission<br> |
| <ul> |
| <li> Login to your domain. Goto Advanced tools > Authentication > Manage third party OAuth Client access |
| <li> Add your new service account as an Authorized API client. Put your Client ID in the Client Name |
| column and put this value for scope: |
| |
| https://apps-apis.google.com/a/feeds/group/#readonly |
| |
| <li>If successful, the scope will have a user-readable name (eg "Group Provisioning"). |
| </ul> |
| |
| <br> |
| |
| Step 3 -- Configure your adaptor by creating an adaptor-config.properties file.<br> |
| <ul> |
| <li>Make a text file, that is named adaptor-config.properties, in the directory that has binary. |
| <li>Here is a model for its contents: |
| <pre> |
| gsa.hostname=sgsa39 |
| server.secure=true |
| google-authn.domain=amazingballoons.com |
| google-authn.consumerKey=Client ID |
| google-authn.consumerSecret=Client secret |
| </pre> |
| </ul> |
| |
| <br> |
| |
| Step 4 -- Configure your GSA<br> |
| <ul> |
| <li>In the GSA's Admin Console, go to Serving > Universal Login Auth |
| Mechanisms > SAML. Add a new mechanism where: |
| <dl> |
| <dt>IDP Entity ID</dt> |
| <dd>Default is <code>http://google.com/enterprise/gsa/adaptor</code>. |
| Can be overridden with config variable: <code>server.samlEntityId</code> </dd> |
| <dt>Login URL<dt> |
| <dd>https://connector-host:connector-port/samlip</dd> |
| <dt>Public Key of IDP</dt> |
| <dd></dd> |
| </dl> |
| <br> |
| Note: Use your adaptor host instead of "connector-host:connector-port". |
| "samlip" is hardcoded and needs to be exactly that. |
| </ul> |
| |
| Step 5 -- Set up Security<br> |
| See the adaptor documentation for setting up an adaptor in "secure mode". |
| |
| <br> |
| in command line: java -jar adaptor-googleauthn-xxxxxxxx.jar |
| |
| |
| <hr> |
| |
| When running, to control logging, use the following logging.properties file: |
| <pre> |
| .level=FINER |
| com.google.gdata.level=INFO |
| com.google.enterprise.adaptor.level=FINER |
| com.google.enterprise.adaptor.googleauthn.level=FINER |
| handlers=java.util.logging.FileHandler,java.util.logging.ConsoleHandler |
| |
| java.util.logging.FileHandler.formatter=com.google.enterprise.adaptor.CustomFormatter |
| java.util.logging.FileHandler.pattern=adaptor.%g.log |
| java.util.logging.FileHandler.limit=10485760 |
| java.util.logging.FileHandler.count=5 |
| |
| java.util.logging.ConsoleHandler.formatter=com.google.enterprise.adaptor.CustomFormatter |
| java.util.logging.ConsoleHandler.level=INFO |
| </pre> |
| |
| </body> |