Note : The information contained on this page does not create a joint venture, partnership, agency or other form of association, or an express or implied license grant by either party to the other under any patent, trademark, copyright, trade secret or other intellectual property right.
miniOrange provides secure access to Google Apps for enterprises and full control over access of Google Apps application, Single Sign On (SSO) into your Google Apps Account with one set of login credentials. miniOrange prevents frauds with its dynamic risk engine in conjunction with enterprise specific security policy. We support a combination of the Device Id, Location and Time of access as multi-factor authentication that can detect and block fraud in real-time, without any interaction with the user. Now you can restrict use of Google Apps only within intranet and block user access from outside network.
Follow the Step-by-Step Guide given below for Restrict Google Apps Access.
Step 1: Configure Single Sign On (SSO) Settings for Google Apps
- Login as a customer from miniOrange Admin Console.
- Go to Apps >> Manage Apps. Click on Add Application on top right corner.
- Click on SAML tab. Select Google Apps and click Add App button.
- Make sure the SP Entity ID or Issuer is in the format: https://www.google.com
- Make sure the ACS URL is in the format: https://www.google.com/a/[domain_name]/acs
For example: https://www.google.com/a/miniorange.com/acs
- Make sure the Single Logout URL is in the format: https://mail.google.com/a/out/tld/?logout
- Enter the Domain Administrator in Google Apps Administrator field and click on "Verify Google Apps Administrator" to verify if the domain entered is of administrator
(this is an optional field).
- Leave the Attributes section empty.
- Under Add Policy, select Group Name and fill out Policy Name.
- Select First Factor Type as PASSWORD.
- Check Enable Adaptive Authentication and then select Default FP Policy from Select Login Policy dropdown.
- Click on Save to configure Google Apps.
- Click on Metadata from Select dropdown, then select Show Metadata Details and click on Download Certificate button to download the certificate which will be required later.
Step 2: Steps to restrict access of Google Apps outside office premises (IP Based restriction)
- Go to Adaptive Authentication from left sidebar menu. Select Edit for Default FP Policy.
- Under IP Blocking Configuration, enter the range of IP addresses you would want to grant access and Select Action i.e. Allow / Challenge / Deny for rest of IPs.
- Click on Save to configure the policy.
Step 3: Setup Single Sign On for your domain in Google Apps
- Now Select Security Tab from Google Admin Console.
- Go to Advanced Settings. Select Set Up Single Sign-On (SSO).
- Enter Sign-In Page URL: https://login.xecurify.com/moas/idp/samlsso
- Enter Sign-Out Page URL: https://mail.google.com/a/[domain_name]
Example - https://google.com/a/miniorange.com
- Enter Change Password URL:
- Upload the certificate that was downloaded earlier.
- Select Enable Single Sign-On checkbox and save the settings.
Step 4: Now sign in to your Google Apps account with miniOrange IdP by either of the two steps:
1. Using SP initiated login :-
- Go to http://mail.[domain_name], enter your Email Address and click on Login. Now you will be redirected to miniOrange IdP Sign On Page.
- Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Google Apps account.
2. Using IdP initiated login :-
- Login to your miniOrange Self Service Console as an End User and click on the Google Apps icon on your Dashboard.
Access Restriction to Google apps using miniOrange cloud based solution
A new work law in some countries impose restrictions on the
working hours of an employee. If a worker receives such an e-mail and has to
act on it, he or she qualifies for overtime pay. In such scenario, companies can restrict
access by turning off email servers physically and stop the flow of incoming
messages, which is indeed not a good solution. Companies need to refrain
group of employees from checking inbox after office hours.
miniOrange Google apps security along with fraud
prevention dynamically analyses users request and applies time based
restrictions policies to application (Google apps) access, which minimizes the
risk of access after office hours. Also if user is already logged in into
Google apps, miniOrange automatically logs out all the users after office hours which is
configured by administrator.
Time based restriction:
Time based restrictions can be set up by configuring a policy so that employees won’t access any email after office hours. A time slot can be set up in time restriction field in which cloud application can be accessed. A report stating access deniel is received if employee tries to access the application outside the declared time slot. Time based restrictions can be set up by configuring Risk Based Access / Adaptive Authentication policy.
Forced logout option has to be set up necessarily in order to set time restriction.
"Time Restrictions highly matter when business remuneration outflow is governed by employee working hours"
The restrictions which can be set by setting up policy during configuration of Google apps single sign-on are discussed below.
IP based restriction:
Google apps is set up for Single Sign On and access of Google apps outside office premise can be restricted by using IP based restriction. IP restriction restricts access within a network which minimizes the risk of unauthorized access. Access can be kept open for some users from outside network by creating different group for them.
Device based restriction:
Device restriction policy sets limit on number of devices from which user can access the account. This ensures that user can login only from his or her device and no one else can login to users account even if he or she knows the credentials.
Location based restriction:
With location based restriction user can setup policy to configure list of allowed locations and blocked locations. This will be needed in a case where you want to restrict your application access to specific locations and removing risk of attacks by blocking all other locations.
For further details refer :