Luminis IV GMail SSO
Hello,
In the past we developed some code to do single sign on into GMail from Luminis via SAML. Since many schools have already asked for the source code we thought we should post it on lumdev as well in case anyone else is interested. You'll find an attached zip file with all of the code and instructions about where to put files.
A couple of points you need to be aware of:
- The attached zip is only for Luminis IV users. While we also have a Luminis III version it is out of date at this point. There is at least one school out there who may have made updates to it to get it working though.
- You will need to contact google, if you haven't already, and send them the pre shared private key. You will be encrypting the token on your end and they will be decrypting the result on their end.
- If you are running parallel deployment, you'll need to put all of the code changes on both web tiers.
- Make sure to change any references from our mail servers ("pride.hofstra.edu") to yours.
If you have any questions or anything in the documentation is not clear please let us know. Also if you made any improvements to this also let us know!
-Kevin
EDIT - 10/21/2009 - Thanks to Mike (mrose) from Ventura Community College for sending over his updates and enhancements to the base code. Feel free to take a look, the file is attached as "vcccd_lum4_saml.zip"
EDIT - 10/18/2010 - Mike (mrose) from Ventura Community College sent over a revision for his enhancements! The zip he originally uploaded has been replaced.
EDIT - 05/31/2011 - This weekend we just upgraded to Luminis 4.3.0.44 and JDK version 1.6.0_24 (64 bit) and we noticed our Google SSO broke. It turns out that this version of Java natively includes the xml security libraries. This would be good, however it is an older version that is not compatible with SAML 2.0. To fix this you need to do the following 3 items:
- Create a directory: $JAVA_HOME/jre/lib/endorsed
- Copy the following 2 files from your $CP_ROOT/webapps/luminis/WEB-INF/lib folder to that endorsed folder: "xmlsec.jar" and "xmldsig.jar"
- Update your $CP_ROOT/.cprc file to include this line:
JAVA_ENDORSED_DIRS=$JAVA_HOME/jre/lib/endorsed
Then in the same file export the variable:
export JAVA_ENDORSED_DIRS
I can't take credit for this find. Luckily a google search helped me very early in the morning find a post by "JaMmeR" at this link. Gotta love upgrades!
Thank you
Thank You for this!!!
Many Thanks
We are using this code (modified slightly) and it works great! I'm not sure if I ever properly thanked you Hofstra folks, so I'll take the opportunity now - THANK YOU!
---Mike
Ventura County Community College District
Ventura Implementation
Hi Kevin,
I recently packaged up our SAML Implementation for another school and though it might be worth posting on LumDev. Seems to me that the best place to put it would be on this post, but I can't upload. If you'd like to post it here, email me and I'll send it to you. mrose [at] vcccd.edu
Changes we made:
---mike
Immutable ID
Jerome from Community College of Philadelphia pointed out that the VCCCD code authenticates against the luminis Immutable ID. I'm guessing we're in the minority in this respect because usually the Immutable ID is a pretty ugly, useless ID. For a variety of reasons, we have our Immutable IDs set to the Banner Third Party ID. I believe this is more akin to the way Luminis 3 operated. This is accomplished using the following configman setting:
However, if you would like to change the SSO to use the luminis login name, you can change the following code in ProcessResponseServlet.java:
Line 273 Reads:
username = (String)i.getAttribute("username");Change to:
username = (String)i.getAttribute("urn:sungardhe:dir:loginId");HTH,
---mike
Looks good
We went the CPIP route this past May. We had the additional requirement that we had was to sync the SHA-1 hashed credentials with Google so that IMAP would work. Does your LuminisPerson object expose the cached password of the luminis user?
--
David McMillan
The University of Alabama
Passwords
We don't store portal passwords at Google. Using SAML as an SSO methodology (instead of CPIP in this case) means you are telling Google that this user is authorized to access this account-passwords never enter the picture.
Specifically, I don't believe we can access passwords through iPerson, but I understand why you would want this for synchronizing IMAP credentials. We aren't doing this currently, but we have considered doing it by provisioning the IMAP credentials for a user when their portal account gets provisioned (using the SAML provisioning API) and then keeping synchronization by triggering the same API during portal password resets(there are some complications to this that are specific to our environment which is why we haven't done so to date).
Brian
SAML with CPIP
We are in fact using SAML so that we don't have to authenticate with the password. We only sending the hashed password to Google via the api for IMAP. I had to use AuthToken for this to keep from getting Captcha errors. Our SAML code has code to detect CPIP sessions so that it effectively bypasses the login page if you have arrived from the portal.
Direct:
mail.ourdomain.edu (google hosted) -> local SAML login -> mail.ourdomain.edu
Portal:
/cp/ip/login?sys=googlesso -> mail.ourdomain.edu -> local SAML login (with cpip sso detection) -> mail.ourdomain.edu
--
David McMillan
The University of Alabama
Google Passwords and SAML
We're using the Hofstra google saml code and ran into the same problem. Our work around was to alter the My Accounts screen with a google password reset form that uses the google apps data api. This way our students can set their google password to whatever they want in order to use IMAP, mobile devices, etc.
---Mike
Ventura County Community College District
Could this help for me !!!
Hi Kevin,
Greetings !!!
I am a newbie in research over SSO. We have a educational group having more than 25000+ students. We need to give them email access (gmail account) through our website which is built on php open source. Can this code help me out for implementing SSO between our web and google apps.
Please let me know if this could help me. If not please tell me what sort of solution will help me in doing this.
Thanks,
Jitendra
Hi Jitendra, I'm not sure
Hi Jitendra,
I'm not sure that this code will help you much. It was developed for the Luminis Portal which is JSP/java based and not PHP. However google does provide information on how to do saml authentication via php:
http://code.google.com/apis/apps/libraries_and_samples.html
Also check out this link for more information on saml auth:
http://code.google.com/apis/apps/sso/saml_reference_implementation.html
Keep in mind you'll need to work with Google to get this set up anyway so contact your rep before writing any code.
Good luck!
-Kevin
Contacting Google
Hi Kevin,
I like your idea of gmail. Could you tell me how you contacted the google and got the key information.
Thank You
Gomathy
Hi Gomathy, Sorry I didn't
Hi Gomathy,
Sorry I didn't get back to you sooner. I didn't see your post come into my e-mail. I know this is a little late, but for anyone else looking into this I wasn't involved in the initial contact with google, but I was given contact information for a rep for google so if you just contact Google in general they can direct you. I basically worked through him to set it all up. If I remember correctly we generated a DSA public/private key set and sent it to them. I found some code I wrote a long time ago for generating the public/private keys. I'll attach it to the source message. Make sure you have JRE 1.5+
Did you ever get your google implementation running?
-Kevin
SSO + ability to login to google directly
Kevin & Mike,
Thanks for sharing! I took a look at both of your code and install notes. ...I'm hoping I can get this to work for us.
The VCCCD notes indicate that once STEP 7 is implemented: "WARNING: After these changes are made, non-admin google users will ONLY be able to login via the luminis SAML solution."
Is this true for both the Hofstra and VCCCD implementations? https://www.google.com/a/my.vcccd.edu/ and https://www.google.com/a/pride.hofstra.edu/ still gets you a google login screen.
Is there a way to configure the SSO so that a user can login to google directly AND via the luminis SSO? Or do you know of another google SSO that lets you login both ways?
Thanks...Ginny Lee/Colorado School of Mines
Re: Login
Hi Ginny,
I can't speak for hofstra, but for VCCCD it is true. If I log into the link that you gave using a normal student account I get the message "Error: This account is not an administrator, please log in to an administrator account".
The link we use for students is: http://mail.google.com/a/my.vcccd.edu (direct to gmail). When this link is clicked, they no longer see the google login, but our luminis login instead (unless they are logged in already). We also have an easier address configured for mail: http://mail.my.vcccd.edu .
I should note that we have all other google services turned off. At this point, we are only offering email to students through google. We plan to revisit other google services later. That may effect the url you used above, I'm not sure.
---mike
Thanks
Mike,
Thanks for the info... I think what I need to do is to write a basic GCF SSO instead of the SAML SSO. That way folks can login either way.
--Ginny
Did the GCF method allow login both ways?
Ginny,
Did you end up going with GCF? if So did it allow login to google apps via the login page and not just SSO?
Thanks,
Seth
Corning Community College
GCF
Seth,
Sorry... haven't logged into Lum Dev in a while. I haven't gotten around to doing our gmail SSO... but David McMillian/U Alabama (see more posts below) appears to have implemented an SSO that allows access to gmail both thru luminis and directly... when I finally get around to it, I'll look (or ask David McMillian) for David's notes.
--Ginny
GCF
Seth,
Sorry I haven't logged into lumdev in a while...
I haven't gotten around to implementing our gmail SSO yet... I believe that David McMillian/U Alabama has implemented a gmail SSO that allows login directly and thru luminis... This is the route I'll try to take...
--Ginny Lee
Colorado School of Mines
Login directly to Google and SSO via Luminis
We also want to have the ability for our students to be able to log into Google directly, as well as via Luminis. Has anyone out there been successful in setting this up?
Thanks!
Christine
Direct and Portal logins
Christine,
As Ginny noted in an earlier post. I wrote a CPIP style connector that we've been using since March of 2009 that allows logins from the portal and also supports direct logins. We direct all users to our google domain, google will redirect to the SSO site. Our SSO site will attempt to fetch a cookie from the users session that will only be present if the user initially came from the portal CPIP that sets the cookie before the redirect to the google domain.
If the cookie exists, a session lookup is make against an in-memory hash table. The userid and creditial are retreived and used to verify against ldap and if valid, the user will be directed to the domain.
If the cookie does not exist, the user is presented with a login page that will then verify against ldap and be passed to google domain if valid.
We probably don't need to check against ldap again if the have the "portal" cookie since they've authenticated at the portal, but we are using other google api's to send the SHA-1 hash to the google account so that IMAP will work correctly without making the users set another password.
This comes in handy when we want to bring down the portal for patching, but still allow students to login to gmail. We also have the app load balanced with a fail-over site ready to take requests if the main site becomes unavailable.
--
David McMillan
The University of Alabama
David, Thanks for getting
David,
Thanks for getting back on this. It seems like what you're doing is exactly what we're trying to do. We had setup a simpleSAML server but were unsuccessful in getting CPIP to work to there. We'd also be happy connecting straight into Google, but haven't figured out yet how to do this. Would you be able to share with us your code so that we can see how we can possibly integrate it on our end? I can be reached at tornabec at newschool dot edu.
Thanks in advance for any help that you can provide!
Christine
Gmail SSO working without forced Luminis login!!
Hi all!
I'm very excited to report something that we just got working.
We recently learned that you do not HAVE to force all your users to login to Luminis when using this method that Hofstra and VCCCD have so kindly shared with us. This is not a direct Google login though, you will need to have a CAS server (or some other service like Shibboleth may work as well, we haven't tested).
What we did: We basically followed VCCCD's instructions exactly, except for one thing. In Step 7, instead of pointing to Luminis for the Sigin-in/Sign-out url's, we are pointing to our CAS server. Also, on the CAS server, we uploaded all of the Keys/Certs from Luminis.
Now, of course, if our CAS server(s) go down, we'll be in the same situation as if Luminis goes down, but at least we now have more flexibility as far as Luminis downtime and upgrades.
I know there were a few people at Summit that had this concern, about having to log in to Luminis to access Google. We seem to have successfully worked around this, which is awesome.
:) Christine
system downtime?
Mike,
What is your university's policy regarding portal downtime and the unavailability of email access during this time?
We are just starting the process of migrating to gmail and this is one of our main hangups with implementing SAML SSO authentication.
Any other schools using SAML to google care to comment?
David
system downtime
We don't have a strict policy regarding email access and portal downtime. Part of the reason is that we are very new to hosting student email. Also, being a community college, I think we have a bit of wiggle room there.
Portal downtime hasn't been much of an issue for us yet. If the portal were to go down unexpectedly (or during maintenance) our load balancer redirects to a maintence page on a different server. The maintenance page has alternate login links to employee email, Banner, and our learning management system (Desire2Learn). We do not have an alternate login to google at this point.
HTH,
Mike
Hi Ginny, We have the same
Hi Ginny,
We have the same issue as Mike. Once you enable SAML authentication, only admins have direct access to the google url. As far as we have been told by Google there is no way to configure it for both means of authentication.
-Kevin
RE: SSO + ability to login to google directly
I got a direct response from Kevin... he said that their implementation DOES allow access to google thru luminis and directly thru the google login.
--Ginny
RE: SSO + ability to login to google directly
That would be nice to know. Kevin, can we post that info here?
--mike
CORRECTION
Sorry, my bad. I didn't get a direct reply from Kevin. I got a direct reply from David McMillan indicating that their SSO allows both Luminis access and direct access thru the google login. Not sure if David's notes are posted somewhere.
--Ginny
Bump
Any news on this? I assume you cannot have it both ways but it would be great if it could be setup that way. (SSO and direct login)
Jack
VCCCD SSO Update
While working with Rance (http://www.lumdev.net/node/3218), we found two issues with the VCCCD code:
1) I forgot a step in the install instructions (change the location of the key files in ProcessResponseServlet.java)
2) The error handling left a bit to be desired. Namely, exceptions in ProcessResponseServlet were ignored. That made #1 pretty hard to troubleshoot.
I have fixed the above to issues and put this code in the subversion repository here: http://svn.lumdev.net/Luminis/Platform/IV.x/vcccd_lum4_saml/ I'll also zip it up and send it to Kevin so he can update this page. If you have already implemented this sso, there is no big rush to update. These are not very critical changes.
-mike
First Time SSO
Hi,
Thanks for sharing the code and we are running a pilot at the moment. Our Account Provisioning and Password Sync will be done through our Identity and Access Management System.
For the SAML SSO part it was pretty straight forward based on the HOFSTRA/VCCCD code.
We have one issue though. On a Newly created account the SSO link for portal leads to a google server error page. If the user logs on directly at http://google.com/a/your_domain. The user is prompted with the activation page. Upon activation the user is taken to a service not available page.
After the user activation the SAML SSO works flawlessly, so are we missing something in our setup?
Venki
Activation Page
Hi Venki,
I can't say I've seen that error before. The first time our users click the sso they get the EULA / Activation page and then move straight into gmail. However we may have a different experience because a while back google changed some of our EULA requirements to be more lax (long story).
You could try increasing the size of the xmlMessageBytes variable in ProcessResponseServlet.java. I had to increase it once already because the xml google returned was too big. Shot in the dark, but worth a try.
--mike
Hi Mike, Based on the VCCCD
Hi Mike,
Based on the VCCCD code this has already been increased to 50000 from 5000.
Venki
Resolved my problem
Hi,
Can we mention somewhere that that the SSO link should be:
https://portalclonetest.carleton.ca/www/cpip/saml/samlpopout.jsp?serviceProviderUrl=https://mail.google.com/a/student.carleton.ca
I was using
https://portalclonetest.carleton.ca/www/cpip/saml/saml1.jsp
Thanks
Venki
Glad to Hear
That's great news Venki. Did you setup google in the way I describe in step 7 of install.txt? With all of this in place our SSO link is:
http://mail.google.com/a/[google apps domain name]
-mike
Are you using CAS or Shibboleth with your Luminis?
We have started to move towards Google migration but was wondering how you were integrating Luminis? Did you make Luminis the Authoritative CAS service? or do you have an external CAS? if the latter how did you get that to work so the user doesn't have to login twice?
Sincerely,
Kerri