Introduction

Google Chrome book is gaining popularity especially among education institutes for various reasons. Some are, Google offers subscription at discounted cost for educational institutes. Google Admin Console Device management is simple and easy to control devices. Google provides number of services includes Mail, Google Drive, Calendar, Messenger, etc., as complete suite of services for an Organization. Redistribution of Chromebook is easy with powerwash, this deletes all data and reinstate the device as new.

Google Apps are SSO enabled services, and provides way to enable federation with Organization Identity Providers. Which gives advantage of securing credentials to inside Organization. SSO user can access all these services with in his/her Chromebook.

Chromebook is managed device by Organization administrator in order to created controlled environment and to apply security and access policies on device. To know more about managing and enrolment of device please visit following link. https://support.google.com/chrome/a/answer/1360534?hl=en

Solution

Enable federation between NetIQ Access Manager and Google apps for work. User authenticated to organization can access Google apps for work without re-entering credentials. Same federation will be used to enable SSO with Chromebook or Chrome Device.

Managed devices SSO can be enabled with following steps:

1. Enable SSO at google apps https://support.google.com/a/answer/60224?hl=en

• Create federation between NAM and Google Apps
  
  
  
  1. IDP SSO end points are available with NAM saml2 metadata and follow google docs (above URL link step 1)
  
  
• Export signing cert from IDP, and upload to google apps SSO settings
  
  
  
• To export cert, go to Security -> certificates and select cert and export to local disk.

• Do enable federation at NAM by adding Google Apps as SAML2 service provider. Check the following resource links for help.
  
  Cool solution:
  
  https://www.netiq.com/communities/cool-solutions/integrating-google-apps-and-novell-access-manager-using-saml2/
  
  Netiq Access Manager Documentation:
  
  https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/b13r8b0p.html
  
  Note: Modify following from metadata filled in to NAM UI filed metadata text after selection Googleapps as service provider under saml2 service provider add.
  
  
  
  • EntityID value change from “google.com” to “google.com/a/YOURDOMAIN”
  
  
• Change “YOURDOMAIN” string with Google Apps domain (e.g., www.testgoogleapps.com)

Google Apps SAMPLE Metadata section below in this document will provide sample Google Apps Metadata for your reference.

• Create test user at organization and same user at Google Apps

• Test Google Apps for SSO by accessing https://mail.google.com/a/<YOUR DOMAIN REPLACE HERE>

• On successful SSO now start doing next steps to enable Chromebook SSO

• following setups no required for latest version chormebookDownload the file with this cool solution and extract it to a temporary folder.Download: chrome_book_SSO.zip

• From extracted folder copy JSP files to IDP at “/opt/novell/nam/idp/webapps/nidp/jsp” location.
  Make sure to take a backup of same name JSP files before over-write.

• If one had custom login page, do read “Login JSP changes” file. And modify yours custom login page. Other than chrome JSP simply copy to IDP. (chrome.jsp is login page)

• Sign-In to Chromebook, enter user email address and click submit, this loads IDP login page.

• Enter credentials on IDP login page and submit

• Chromebook SSO will be successful and user is logged in.

Now on successful authentication Chromebook, it is set for offline usage like unlock device or offline login.

Additional Notes

• Recommended Chromebook version is 42 and above ( tested with Chrome OS 42 )

• Tested setup is Chrome OS 42 and NAM 4.0.1HF3

• In the process of NAM authentication want to remove iFrames, do add following properties with authentication method one used in NAM
  
  
  
  • MainJSP=true
  
  
• JSP=chrome ( this one is login JSP name)

• Modify following from metadata filled in to NAM UI field “metadata text” after selection Google Apps as service provider under saml2 service provider.
  
  
  
  • EntityID value change from “google.com” to “google.com/a/YOURDOMAIN”
  
  
• Change “YOURDOMAIN” string with Google Apps domain (e.g., www.testgoogleapps.com)

Google Apps Sample Metadata

<EntityDescriptor entityID="google.com/a/ www.testgoogleapps.com " xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress  </NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/www.testgoogleapps.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

Resources

• https://www.netiq.com/communities/cool-solutions/integrating-google-apps-and-novell-access-manager-using-saml2/

• https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/b13r8b0p.html

• https://support.google.com/chrome/a/answer/1360534?hl=en

• https://support.google.com/a/answer/60224?hl=en

• https://support.google.com/chrome/a/answer/6060880?hl=en

• https://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices