4.3 Configuring the Connector for Google Apps for Business

The connector for Google Apps provides user account provisioning and single sign-on access to Google Apps for Business domains. After users log in to CloudAccess, SAML authentication is used to automatically authenticate (single sign-on) users to Google Apps for Business. Each cluster can support multiple instances of the connector.

To configure the connector:

  1. (Conditional) If you want to enable user access to specific Google applications, complete the following steps:

    1. In the Google Apps Admin console, create one or more organizational structures underneath the top level container of your Google Apps domain.

    2. Click the Google Apps > Services menu option and enable or disable each available application for each selected organization.

  2. Log in as an administrator to the CloudAccess administration console:

    https://appliance_dns_name/appliance/index.html

  3. Drag and drop the SAML 2.0 connector for Google Apps for Business from the Applications palette to the Applications panel.

    The Configuration window opens automatically for the initial configuration. To view or reconfigure the settings later, click the connector icon, then click Configure.

  4. Provide a unique display name for the connector to appear on the Admin and landing pages, and also provide the administrator logon credentials and domain for the Google Apps for Business account.

  5. (Conditional) Select the Automatically configure SSO settings option if you want CloudAccess to configure the single sign-on parameters at Google Apps for Business. Otherwise, you must manually configure the parameters at Google Apps for Business.

  6. (Conditional) Select Prompt users for an existing Google Apps account before provisioning if you want to give users control of when their accounts are provisioned. For more information, see Section 4.2, Understanding Google Apps Provisioning.

  7. (Conditional) If you want to specify a default organizational unit for newly provisioned users, expand Advanced Options and enter the path to the organization in the Default OrgUnit field.

    NOTE:You can specify a sub-organization at any level in your Google Apps organizational structure, using forward slashes, as long as you have set up that structure. For example, mygoogle.com/employees/fulltime/salary. If you leave this field blank, the connector places newly provisioned users into the top-level organization of the Google Apps domain.

  8. (Conditional) If you did not select the Automatically configure SSO settings option, click Federation Instructions. Read the instructions provided to configure the connector for Google Apps for Business to allow single sign-on for users, then complete the following steps:

    1. Copy and paste the text of the signing certificate provided in the Federation Instructions into a file, then save the file.

      NOTE:Ensure that you use a text editor that does not introduce hard returns or additional white space. Otherwise, the certificate file may be improperly formatted and unusable. For example, use Notepad instead of Wordpad.

    2. Log in to the Google Apps Dashboard with your administrator account.

    3. Navigate to Advanced Tools > Set up single sign-on (SSO).

    4. Provide the following information:

      Enable Single Sign-on: Select this option.

      Sign-in page URL: Specify the value provided for the Single Sign-on URL in the Federation Instructions.

      Sign-out page URL: Specify the value provided for the Single Logout URL in the Federation Instructions.

      Change password URL: This is the page that the URL will redirect to when a user clicks Change Password. (This is not part of the federation per se, but Google requires a value for this field.)

      Verification certificate: Upload the file into which you copied the signing certificate text above.

      Use a domain specific issuer: Select this option. This changes the value sent in the SAML request to be google.com/a/google_apps_domain instead of google.com. For more information, see SSO (Single Sign-On) in the documentation for Google Apps for Business.

      Network masks: Leave blank. This option is not applicable to SAML configuration.

    5. Click Save Changes.

  9. Click OK.

  10. On the Admin page, click Apply to commit the changes to the appliance.

  11. Wait until the configuration changes have been applied on each node of the CloudAccess cluster.

  12. Perform policy mapping to specify entitlements for identity source groups.

    For more information, see Mapping Authorizations in the NetIQ® CloudAccess and MobileAccess Installation and Configuration Guide.

  13. (Optional) To provide users with access to Google Apps Mail from supported mobile devices, click the configured connector on the Applications panel, then click Enable email proxy.

  14. (Optional) Modify default appmarks or configure new appmarks to specify how users should access the Google Apps applications.

  15. Add users to the appropriate identity source group to trigger user account provisioning to Google Apps.

  16. (Conditional) If required, grant approvals for mapped authorizations.

User accounts that have been provisioned to Google Apps for Business using CloudAccess must authenticate through CloudAccess. Direct logins to Google Apps for Business are not allowed. For more information, see the SAML SSO section of the Google Apps for Business website.