Single sign on with ChromeOS and Office 365
1,687 views
Skip to first unread message
dan attwood
May 12, 2015, 9:28:08 AM5/12/15
to chromiu...@chromium.org
Hi
I work for a college and we have decided to give chomebooks a try. We are a Microsoft college and have Office 365 for all our students. We don't want to go down the google apps for education route but we do like that chromebooks have good battery life, simple updates, cheap etc.
We've been through all the official set up steps and are now at the stage where to login to the chromebook the student must:
Login with the their O365 email addess and password (this is the same as their Active Directory one) - this login is effectively against their google apps account.
They then get taken to our ADFS login page
They login there with their email and password again - this is effectively their O365 username/ password
They then get a chromeos page pop up that asks for their password again
They are then logged in against ADFS and SAML and can access all our resources by browsing to them.
When compared to our windows boxes (login, browse to resources) this process is long winded and frankly a bit rubbish.
If seems that if the first login sets up a saml token then the ADFS page should be able to read that token and not require the username and password to be entered.
Does anyone have experience of this and any possible solutions or comments please?
Bartosz Fabianowski
May 12, 2015, 9:35:54 AM5/12/15
to dan attwood, chromiu...@chromium.org
On 12 May 2015 at 15:28, dan attwood <danat...@gmail.com> wrote:
HiI work for a college and we have decided to give chomebooks a try. We are a Microsoft college and have Office 365 for all our students. We don't want to go down the google apps for education route but we do like that chromebooks have good battery life, simple updates, cheap etc.We've been through all the official set up steps and are now at the stage where to login to the chromebook the student must:Login with the their O365 email addess and password (this is the same as their Active Directory one) - this login is effectively against their google apps account.
There is no need to provide a password here. Your
students can leave the password field blank. You can even turn off
password syncing altogether if all your logins are being done via SAML.
They then get taken to our ADFS login pageThey login there with their email and password again - this is effectively their O365 username/ password
Unfortunately, this is necessary because there is no standardized way for Chrome OS to pass the e-mail address to the SAML IdP.
They then get a chromeos page pop up that asks for their password again
This could be avoided if your IdP implemented advanced integration:
https://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices
https://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices
They are then logged in against ADFS and SAML and can access all our resources by browsing to them.When compared to our windows boxes (login, browse to resources) this process is long winded and frankly a bit rubbish.If seems that if the first login sets up a saml token then the ADFS page should be able to read that token and not require the username and password to be entered.Does anyone have experience of this and any possible solutions or comments please?
--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-dev?hl=en
Bartosz Fabianowski
May 12, 2015, 9:40:51 AM5/12/15
to chromiu...@chromium.org, Dan Attwood
On 12 May 2015 at 15:37, Dan Attwood <danat...@gmail.com> wrote:
| Unfortunately, this is necessary because there is no standardized way for Chrome OS to pass the e-mail address to the SAML IdP.
Have you any idea if this feature is on a roadmap somewhere and has any kind of ETA?
This is a limitation of the SAML standard. There is nothing we could change in Chrome OS to address this, short of changing the modifying and waiting for IdPs to adopt to a new way of passing user IDs.
Vadim Bendebury
May 12, 2015, 2:23:26 PM5/12/15
to dan attwood, Chromium OS dev
On Tue, May 12, 2015 at 6:28 AM, dan attwood <danat...@gmail.com> wrote:
>
> We don't want to go down the google apps for education route
>
but maybe you should?
>
> We don't want to go down the google apps for education route
>
--vb
Zak
Mar 25, 2016, 3:03:48 PM3/25/16
to Chromium OS dev
Hi,
I have the same issue. I would like to some how get rid of this double login. Apparently this double login is to allow the chromebook to be used offline, something we don't want anyway.
Does anyone know how to get that API working with ADFS 3. I can't figure it out.
Thanks
Wallkill CSD
Apr 1, 2016, 7:39:58 AM4/1/16
to Chromium OS dev
Zak,
http://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices specifies a java script to load during authentication. I however have not found a way to implement into ADFS.
Tom
Reply all
Reply to author
Forward
0 new messages