Chromebook SSO with NAM

0 Likes
over 6 years ago

Introduction


Google Chrome book is gaining popularity especially among education institutes for various reasons. Some are, Google offers subscription at discounted cost for educational institutes. Google Admin Console Device management is simple and easy to control devices. Google provides number of services includes Mail, Google Drive, Calendar, Messenger, etc., as complete suite of services for an Organization. Redistribution of Chromebook is easy with powerwash, this deletes all data and reinstate the device as new.

Google Apps are SSO enabled services, and provides way to enable federation with Organization Identity Providers. Which gives advantage of securing credentials to inside Organization. SSO user can access all these services with in his/her Chromebook.

Chromebook is managed device by Organization administrator in order to created controlled environment and to apply security and access policies on device. To know more about managing and enrolment of device please visit following link. https://support.google.com/chrome/a/answer/1360534?hl=en

Solution


Enable federation between NetIQ Access Manager and Google apps for work. User authenticated to organization can access Google apps for work without re-entering credentials. Same federation will be used to enable SSO with Chromebook or Chrome Device.

Managed devices SSO can be enabled with following steps:

  1. Enable SSO at google apps https://support.google.com/a/answer/60224?hl=en

  • Create federation between NAM and Google Apps

    1. IDP SSO end points are available with NAM saml2 metadata and follow google docs (above URL link step 1)

  • Export signing cert from IDP, and upload to google apps SSO settings

    1. To export cert, go to Security -> certificates and select cert and export to local disk.







    Google Apps SAMPLE Metadata section below in this document will provide sample Google Apps Metadata for your reference.
    • Create test user at organization and same user at Google Apps

    • Test Google Apps for SSO by accessing https://mail.google.com/a/<YOUR DOMAIN REPLACE HERE>

    • On successful SSO now start doing next steps to enable Chromebook SSO

    • following setups no required for latest version chormebookDownload the file with this cool solution and extract it to a temporary folder.Download: chrome_book_SSO.zip

    • From extracted folder copy JSP files to IDP at “/opt/novell/nam/idp/webapps/nidp/jsp” location.
      Make sure to take a backup of same name JSP files before over-write.

    • If one had custom login page, do read “Login JSP changes” file. And modify yours custom login page. Other than chrome JSP simply copy to IDP. (chrome.jsp is login page)

    • Sign-In to Chromebook, enter user email address and click submit, this loads IDP login page.

    • Enter credentials on IDP login page and submit

    • Chromebook SSO will be successful and user is logged in.


    Now on successful authentication Chromebook, it is set for offline usage like unlock device or offline login.

    Additional Notes

    • Recommended Chromebook version is 42 and above ( tested with Chrome OS 42 )

    • Tested setup is Chrome OS 42 and NAM 4.0.1HF3

    • In the process of NAM authentication want to remove iFrames, do add following properties with authentication method one used in NAM

      • MainJSP=true

    • JSP=chrome ( this one is login JSP name)



    • Modify following from metadata filled in to NAM UI field “metadata text” after selection Google Apps as service provider under saml2 service provider.

      • EntityID value change from “google.com” to “google.com/a/YOURDOMAIN”

    • Change “YOURDOMAIN” string with Google Apps domain (e.g., www.testgoogleapps.com)




    Google Apps Sample Metadata
    <EntityDescriptor entityID="google.com/a/ www.testgoogleapps.com " xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress </NameIDFormat>
    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/www.testgoogleapps.com/acs" />
    </SPSSODescriptor>
    </EntityDescriptor>

    Resources






    Labels:

    How To-Best Practice
    Comment List
    Anonymous
    • I was reading your "Chromebook SSO with NAM" and succesfully implemented the solution with a chromebook. However we have the following doubt, that i would apretiate if you can help me:


      After the first login to the chromebook how it is sync the password to it? I mean the process that makes posible the next offline logins, it's something the chrome.jsp does?

      And my second question it's, why the lastest chromebook it's not required to implement the chrome_book_SSO.zip file?

    • One of our engineers responded as follows:

       

      Chrome.jsp initiate and add by calling  google.principal.initialize  and google.principal.add

      Saml2post.jsp will complete the process by calling google.principal.complete

      All other magic is in “js” file follow the https://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices

      He is not so sure about the 2nd answer but his guess is that new OS support this credentials save done out of the box.

      Hope this helps!?



    Related Discussions
    Recommended