More and more schools and organizations are taking advantage of sign-in tools from Microsoft Azure and Google for their authentication needs. These cloud-based services are often easier to manage than in-house systems, and don’t require any on-premise equipment. And with the increase in web services supporting logins from Google and Microsoft, there seems to be no downside.
But of course, there are downsides. Proprietary lock-ins and privacy concerns are two big ones. Going forward, Cybera will be talking more on the privacy aspects of using cloud services in this manner. In this post, we’ll tackle the lock-in issue.
Microsoft’s Active Directory has always supported Lightweight Directory Access Protocol (LDAP). LDAP is an industry-standard centralized user database. You’d be hard-pressed to find an application that doesn’t support LDAP, which means Microsoft’s Active Directory has become an almost universal choice for centralized authentication.
Google’s G Suite and Education services have also grown increasingly popular over the years. While they have robust support for OAuth2 — a common open protocol for web-based authentication — it wasn’t possible to use Google with LDAP. That is, until now.
Google recently announced that it has begun supporting LDAP connectivity. The only caveat is that you must use Google’s Cloud Identity premium service.
Let’s take a look at how to set up Google Secure LDAP…
[Why are we talking about Google Secure LDAP? Because Cybera’s Pika Federation service is technology neutral, which means it will work with several authentication mechanisms used in schools, including Google’s LDAP. Click here for more information about the Pika Service.]
Configure the Google Secure LDAP
-
Log in to the Google Admin panel through your Firefox or Chrome browser
https://admin.google.com
- Once logged in, go to Apps
- Under the Apps settings, choose ‘G Suite‘ core services
- In top right corner of the list, select ‘ADD SERVICES‘
-
Search for Cloud Identity Premium and add it to your services
Please note the following:
- The premium service is a paid service, but Google provides a free 14 day trial.
- Google automatically assigns a Cloud Identity Premium account to all new users. You therefore may want to manually assign a specific group with this privilege.
- Go back to the Apps. The new LDAP window will be shown on the list
- Click on the LDAP window and then ADD CLIENT to enable the federation integration
-
Specify the name of the client, ex. dev.pika
-
Choose the settings for your LDAP Directory Information Tree (DIT)
It is important to determine the default access to the whole domain in DIT, or specify a unique organizational unit (OU) that the client will use to identify all the users who are allowed access to the client.
- Select Add LDAP client to finish the configuration
- Google Identity Service will provide the authentication certificate, which can be used with the client for authentication
- Next, the set of access credentials needs to be to communicated with the Secure LDAP service
- Go back to the LDAP window and click on freshly defined client settings
- Enable the service status by flipping the Status switch to ON.
This concludes the set up of the LDAP secure service
Manage users’ access to Secure LDAP Service
To make users visible in the LDAP service integration, there are a few things to be aware of. The user needs to:
-
Have the Cloud Identity Premium license assigned
This can be enabled in the Google Admin/Users/
/Licenses window
-
Be part of the Organizational Unit, which is part of the client integration
This can be changed in the Google Admin/Users/
/More(…)/Change Organizational Unit
Conclusion
This post detailed how to set up Google’s new LDAP support for its Identity Services. While we always advocate caution when hosting identities in the cloud, Google’s LDAP support brings better compatibility to existing and on-premise services that it offered before, so is worth trying out.