Image Source: http://t2.gstatic.com/images?q=tbn:ANd9GcS00dU5MZU1maJgoyWr8yEKnkHDqrH-hfFfXpiXafYdZ39z5pTL&t=1

Updated 3/1/2012


A question:

Is anyone integrated Google Gmail with Active Directory for a Single Sign On or password transparency? We are in the migration stage of provisioning account to Google but I and wanting to know what outers are doing to make the sign on process easier for staff.

A few responses that are worth checking out, including ones from folks I’ve anonymized but whom may want to speak up in the comments since I know they read this blog:


From Google’s Becky Evans:

Passwords are stored in Active Directory in a proprietary way and our GADS tool isn’t able to read them. There are a couple ways to work around this.
1) Save passwords as plaintext, hash them in sha-1 or hash in md5 in another field in your AD. Sync this password field with Google Apps.
2) Sync passwords using a 3rd party tool. I’ve worked with a few districts that have used these partners to sync passwords.
Auth MagicSSO Easy

Others:

Google Apps will not sync passwords with AD. You need to use SSO or some other type of third party.



and

For our students we ended up linking their AD credentials to Google Apps through Moodle (there are a few others on this list who have experience with this as well).  Our Moodle is linked to AD, and then you can use SSO between Google Apps and Moodle.  The issue (based on my limited knowledge of the situation) is with the password encryption in AD.  There are issues (or it just isn’t possible) to extract the password from AD with the account.  The downside (or upside depending on how you look at it) is you have to login to Moodle first.  Once inside Moodle there is block (in the sidebar) with links to your Google Apps tools.  You click on those links and it takes you right into the tool without having to login.

We are actually looking at trying to have all our passwords created in our SIS, and then sync’d to AD from there (via SIF).  That way we can export account/password information directly from the SIS and sync it to third party systems.  We would also (in theory) be able to provide access for both teachers to look up their student’s passwords, and parents to look up their child’s username/password information (thinking about parents wanting to monitor Gmail).  The password could be reset in the SIS, and then the change would flow out to AD, and our other third party systems.  We are expecting this to help circumvent some of the AD extraction issues.


and

Google is changing some things about Apps for Ed accounts that will allow logging into integrated SSO accounts without having to use the links inside Moodle. The change is optional at the moment and will be rolled out to everyone else in a short time. It will still send you to a Moodle login page and then back to Google automatically.

In the meantime you can copy the URL from the Google Block in Moodle and create a shortcut or bookmark anywhere and the Google administrator has access to other tools for Apps Application shortcuts on the desktop. In Google Chrome (best browser for Apps), once you are in your Google Apps folder, any user can use the Tools menu to Create application shortcuts… – a great feature for any frequently used site that you don’t need tabs or other browser tool icons for.

Until Google forces the change, a work-around for many Google links outside your domain is to insert “/a/yourdomain.edu/” into the URL immediately after the “[docs.]google.com”.

A follow up response to a question about security of porting active directory passwords to external vendor systems garnered this response from Rusty Meyners:

For what it’s worth, the Moodle-Google SSO system does not share a password=

 with Google but rather, Moodle login gives Google the green-light for the =

authenticated account and Google trusts Moodle to do so, without asking for=

 password. In this situation, once you are logged into Moodle, you are also=

 logged into Google, whether you choose to go there or not.

Using the Moodle Login-As feature, a Moodle administrator can then access t=

he Google account of someone in their domain, whether or not they are also =

a Google administrator for their domain – meaning if you give a teacher or =

parent Moodle “Login-As” privileges, you are also giving them access to the=

 entire Google account. Be aware that much of this appears to be accomplish=

ed with cookies, so if you get “stuck” in the wrong account, close and reop=

en the browser & if necessary empty the cache.

Here is a link to some important info about changes to Google Apps for Educ=

ation accounts. These changes will add features and better distinguish betw=

een personal “consumer” and Ed domain accounts.

http://www.google.com/support/accounts/bin/answer.py?answer=3D181963

The exchange took place on a Texas-wide email list for technology directors.




Get Blog Updates via Email!
Enter your email address:


Delivered by FeedBurner

PingIt! pingthis();
Delicious Bookmark this on Delicious
Subscribe to Around the Corner-MGuhlin.org




Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

Advertisements