SAML SSO - webbased only?
SamOsborne
I'm thinking of implementing gmail with SAML SSO for our school. We
currently have an Active Directory setup. If I set this up with SAML
SSO to utilise the same credentials stored on our server does this
mean that users can only check their emails via gmails web based
feature? Or can I still set up their email client (Apple Mail mostly)
to imap.gmail.com or whatever and can it then use the SAML to log on?
Thanks,
Sam
Ryan Shelley
Ahmed
out of curiosuity, how would we synchronise Gmail to have the same
pass as our AD user's pass's?
Thanks in adv!
On Nov 7, 8:27 pm, "Ryan Shelley" <12gaugeme...@gmail.com> wrote:
> If you configure the new Google accounts with the user's SHA-1 encrypted
> password, then yes, the user can use their normal username/password to
> access Gmail via POP3. Keep in mind, however, you'll want to synchronize
> password changes within your AD environment with an update to Gmail.
>
> On Nov 6, 2007 2:45 PM, SamOsborne <osborne....@gmail.com> wrote:
>
>
>
>
>
> > Hi,
>
> > I'm thinking of implementing gmail with SAML SSO for our school. We
> > currently have an Active Directory setup. If I set this up with SAML
> > SSO to utilise the same credentials stored on our server does this
> > mean that users can only check their emails via gmails web based
> > feature? Or can I still set up their email client (Apple Mail mostly)
> > to imap.gmail.com or whatever and can it then use the SAML to log on?
>
> > Thanks,
> > Sam- Hide quoted text -
>
> - Show quoted text -
Ryan Shelley
SamOsborne
You have misunderstood my question. I'm actually interested in using
SSO and if it is possible to then use a mail client with SSO.
Sam.
On Nov 8, 5:35 am, "Ryan Shelley" <12gaugeme...@gmail.com> wrote:
> You'll need to extract from AD all of your account passwords in SHA-1. I
> don't know enough about AD, however, to tell you if that's how they are
> stored, or if that's a configurable option. However, if it's possible for
> you to get those passwords in SHA-1, you'll need to export that information
> somehow into a file you can import to Google to setup the accounts. Then
> going forward, when a user changes their password using whatever process you
> currently have, there would be an additional step that would use the Google
> API to update the user's Google password at the same time.
>
> On Nov 7, 2007 1:38 AM, Ahmed <platfo...@gmail.com> wrote:
>
>
>
>
>
> > Hi Ryan,
>
> > out of curiosuity, how would we synchronise Gmail to have the same
> > pass as our AD user's pass's?
>
> > Thanks in adv!
>
> > On Nov 7, 8:27 pm, "Ryan Shelley" <12gaugeme...@gmail.com> wrote:
> > > If you configure the new Google accounts with the user's SHA-1 encrypted
> > > password, then yes, the user can use their normal username/password to
> > > access Gmail via POP3. Keep in mind, however, you'll want to
> > synchronize
> > > password changes within your AD environment with an update to Gmail.
>
> > > On Nov 6, 2007 2:45 PM, SamOsborne <osborne....@gmail.com> wrote:
>
> > > > Hi,
>
> > > > I'm thinking of implementing gmail with SAML SSO for our school. We
> > > > currently have an Active Directory setup. If I set this up with SAML
> > > > SSO to utilise the same credentials stored on our server does this
> > > > mean that users can only check their emails via gmails web based
> > > > feature? Or can I still set up their email client (Apple Mail mostly)
> > > > to imap.gmail.com or whatever and can it then use the SAML to log on?
>
> > > > Thanks,
> > > > Sam- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
Ryan Shelley
Sam Johnston
> With a separate email client like Outlook or Thunderbird? Well, much of
> what I describe still holds. You need to provision each account with their
> AD passwords (assuming the are SHA-1 encoded), and then the user needs to
> log in and enable POP3 on their account. Once that's setup, they can use a
> 3rd party client to receive their mail. The only catch is that if the user
> changes their password on your AD domain, you might want to consider syncing
> that change with Gmail so their mailbox password matches their domain login.
Unfortunately 'the NTLM, NTLMv2, and Kerberos all use the NT hash,
also known as the Unicode hash' (Q299656). The best way to achieve
what you suggest would likely be to register for password change
notifications and capture the password in cleartext before it is
encoded and stored to AD. This is how Microsoft themselves do it for
their Identity Integration Server:
Password Change Notification Service captures passwords on the domain
controller so Identity Integration Server can synchronize.
http://www.microsoft.com/downloads/details.aspx?familyid=c0964f2e-fa9f-4fc7-ac13-c43928efee9d&displaylang=en
An interesting enhancement for apps would be for it to understand NTLM
hashes, at least for migration purposes (they could be stored
temporarily and upgraded when the user provides the cleartext password
the first time they log on). I've already done something similar for
OpenLDAP half a dozen years ago so I know it's feasible; I'll submit
the suggestion to product management.
http://www.openldap.org/lists/openldap-devel/200203/msg00025.html
Presumably those of you using Apps in NT based environments would find
the ability to migrate existing passwords useful?
Sam
Alex (Google)
The Google Apps SSO option is only for the web applications.
Currently there is no delegated authentication mechanism for the non-
web protocols (SMTP, IMAP, POP3, XMPP).
The workaround is what Ryan described, syncing passwords.
-alex