This page last changed on Sep 02, 2008 by smaddox.
The Google Apps connector is shipped with your Crowd installation. This is a Crowd application connector which allows single sign-on (SSO) to Google Apps. If you wish to activate SSO between Crowd-connected applications and Google Apps, you will need to configure the Google Apps connector as described below.
On this page:
Step 1. Configuring the Crowd Application, Directory and Group Details
In this step, you will enter the application details for the Google Apps application connector in Crowd. You will manage access to Google Apps by associating Crowd directories and/or groups with the Google Apps application.
To define the Google Apps application details in Crowd,
- Log in to the Crowd Administration Console.
- Click the 'Applications tab in the top navigation bar.
- This will display the Application Browser. Click the 'View' link next to the 'google-apps' application.
- The 'Application Details' screen will appear, as shown below. If you wish, you can change the 'Description'. Please ensure that the 'Active' checkbox remains ticked.
- Click the 'Directories' tab and select one or more user directories which contain the users who should have access to Google Apps.
- To choose which users within the directory may authenticate against the application, either:
- On the 'Directories' tab, change 'Allow all to authenticate' to 'True'. This will allow all users in that directory to log in to Google Apps. (The default is 'False'.)
OR
- Click the 'Groups' tab and select one or more groups of users, clicking the 'Add' button to add each group you need.
- Click the 'Permissions' tab and set the directory permissions for the application.
- Click the 'Configuration' tab and generate your SSO keys as described in Step 2 below.
Screenshot: Google Apps application details in Crowd

Step 2. Generating your SSO Keys
Now you will ask Crowd to generate a public and a private key for use in authenticating Crowd to Google Apps. (Google Apps calls the public key a 'verification certificate'.)
To generate your SSO keys,
- Still in the Crowd Application Browser as described in Step 1 above, click the 'Configuration' tab for the Google Apps application.
- The 'Configuration' screen will appear, as shown below. Click the 'Generate New Keys' button.
- Crowd will generate a public key and a private key, placing them in the plugin-data\crowd-saml-plugin directory of your Crowd Home. (For more information about Crowd Home, see Important Directories and Files.) When the keys have been generated, you will see a message 'DSA keys successfully generated and stored to disk.'
Screenshot: Configuring the Google Apps connector in Crowd

Step 3. Configuring Google Apps to Recognise Crowd
In this step, you will log in to Google Apps as an administrator and enter the information required for Crowd to authenticate to Google Apps. This information consists of some Crowd URLs and the public key which you generated from Crowd.
To configure Google Apps to recognise Crowd,
- Log in to your Google Apps Dashboard as a Google Apps administrator.
- In Google Apps, go to the 'Advanced tools' tab.
- Click the 'Set up single sign-on (SSO)' link.
- The 'Set up single sign-on (SSO)' screen will appear, as shown below.
- Copy the URLs from the Crowd configuration screen (see above) and paste them into the Google Apps screen.
- Now you will upload the public key which Crowd generated for you in Step 2 above:
- Still in Google Apps, click the 'Browse' button under the heading 'Verification certificate'.
- Navigate to the the plugin-data\crowd-saml-plugin directory of your Crowd Home.
- Select the public key certificate (file name DSAPublic.key) and upload it to Google Apps.
- If necessary for your network configuration, set the 'Use a domain specific issuer' checkbox and the 'Network masks' in Google Apps. Please refer to the Google Apps documentation for guidance on these settings.
- Save your changes in Google Apps.
Screenshot: Setting up SSO in Google Apps

Step 4. Verifying that a User can Log in to Google Apps
It is a good idea now to check your users can log in to Google Apps.
To test a user's authentication to Google Apps,
- Still in the Crowd Application Browser as described in Step 2 above, click the 'Authentication Test' tab for the Google Apps application.
- Enter a user's login details and verify the login. For more details, you can refer to Testing a User's Login to an Application.
Congratulations! You have now configured Crowd for SSO with Google Apps.
More Information about the Google Apps Connector
Deleting the Keys
Once you have generated the keys, a 'Delete Keys' button will appear on Crowd's configuration screen. Click this button to remove the keys from the Crowd Home directory. This will disable SSO with Google Apps.
The Ins and Outs of SSO with Google Apps
- Single sign-on (SSO) applies only to the applications within Google Apps. The Google Apps administration section (control panel) does not support SSO.
- When you sign out of Google Apps, you will also be signed out of Crowd and all Crowd-connected applications. This is the usual SSO behaviour.
- But when you sign out of Crowd, you will remain logged in to Google Apps even though you will be logged out of other Crowd-connected applications. (Reason: Google does not rely on a cookie, so there is no easy way for Crowd to tell Google you have signed out.)
It would take some additional development to support single sign-out from Google Apps. If you would like to see this work undertaken, please vote for issue CWD-1238.
- If you go directly to a Google Apps application without logging in to Crowd, Google Apps direct you to a Crowd login screen.
- The Crowd login screen for Google Apps will not offer a 'Forgotten your password' link. You cannot change your Crowd password via Google Apps. Instead, if you need to change your password please log in to Crowd directly, by going to this URL: http://YOUR-CROWD-LOCATION:8095/crowd/
Usernames must be the Same in Google Apps and Crowd
Usernames must exist in Google Apps as well as Crowd and a person's username must be the same in both Google Apps and Crowd. The Crowd Google Apps connector does not support the automatic adding of users. If a user exists in Crowd but not in Google Apps, then the user will not be able to log in to Google Apps.
An Example of Google Apps SSO in Action
Here's one example of how it might work:
- John raises an issue in JIRA. In the issue description, he adds a link to a Google Apps document containing more details.
- He assigns the issue to Sarah.
- Sarah clicks the link and opens the document directly in Google Apps. No need to log in again, no need to remember a different password.

RELATED TOPICS
Crowd Documentation
|