In December Google announced the availability of SAML SSO and other APIs within the free edition of Google Apps. SAML was already introduced for the premium/business and educational versions back in 2007. But now you can benefit from this feature to make access to all versions of Google Apps more secure.
This article has two parts. Part I describes how to secure access to Google Apps using SSOCircle IDPee with password-free X.509 client certificate authentication which is a good countermeasure against phishing attacks often practiced to capture user name and password in order to gain access to your Gmail account. Remember the attack against U.S. officials Gmail accounts by phishing attacks originating from China (see CNN: “Massive Gmail phishing attack hits top U.S. officials”).
Part II describes how to leverage certificates to encrypt and sign emails with a standard browser and Gmail. Take the next step to protect your email communication from everyone including the service provider. Do all these with your standard browser.
This is what you need for Part I (Secure access to Google Apps):
- Google Apps account (e.g. free Standard Edition)
- SSOCircle IDPee account
Follow the steps below to configure the application. We assume you already have user accounts created at Google Apps and SSOCircle IDPee.
A. Configure Google Apps for SAML SSO
- Login to your Google Apps account as administrator
- Go to “Advanced tools” and “set up single sign on”
- Enter the fields as described in the screen shot
- The certificate needed as a verification certificate can be downloaded from your IDPee at <my-hostname>.idpee.com/cert.cer
B. Import Google Apps configuration data into SSOCircle IDPee
- Login to your SSOCircle IDPee account as administrator
- Go to “Manage meatdata” and click “Add new service provider”
- Enter the metadata of your Google Apps.
You can retrieve a sample of meta data on the SSOCircle web site and replace the string “YOUR_GOOGLE_APPS_DOMAIN” with the name of your domain.
Copy & paste it into the form:
You will now see that your Google Apps meta data was properly as shown in the following screen:
C. Enroll certificate for your user account
Finally after getting the Google Apps – SSOCircle IDPee integration in place, you need now to enroll for a personal client certificate. SSOCircle IDPee provides automatic enrollment pages for Firefox, Internet Explorer and Chrome. Read the following screens to see how simple it is:
- Install your personal certificate into your browser by using the automatic enrollment page
After clicking on the link for your browser a key generation and certificate enrollment page appears. Choose a key length that fits your requirements and submit the page. A process is started that gernerates a private – public key pair locally and submits a certificate signing request to SSOCircle IDPee. SSOCircle will sign the certificate and send it back to the browser for import in the local certificate store.
This is done fully automatically:
The browser displays a message that the certificate issued by the CA was successfully imported. Now you are ready to go to authenticate to SSOCircle IDPee and Google Apps without a password send over the wire. Just click on the three-locks symbol at the authentication page. A certificate chooser is displayed by the browser. Choose your personal certificate generated in the previous step and you are logged in …
Cloud security made simple – SSOCircle. Contact us for more information.