Note : The information contained on this page does not create a joint venture, partnership, agency or other form of association, or an express or implied license grant by either party to the other under any patent, trademark, copyright, trade secret or other intellectual property right.

Google Apps Security

miniOrange provides secure access to Google Apps for enterprises and full control over access of Google Apps application, Single Sign On (SSO) into your Google Apps Account with one set of login credentials. miniOrange prevents frauds with its dynamic risk engine in conjunction with enterprise specific security policy. We support a combination of the Device Id, Location and Time of access as multi-factor authentication that can detect and block fraud in real-time, without any interaction with the user. Now you can restrict use of Google Apps only within intranet and block user access from outside network.

Google apps Single Sign On using existing IdP

miniOrange allow you to restrict use of Google Apps only within intranet ( office premises ) and blocks user access from outside network. Also you can keep access open for some users from outside network by creating different group for them.
Single Sign On with Google Apps

Login to your applications with Google Apps as IdP. Click here to check the step-by-step guides to configure Google Apps as IdP for Single Sign On to WordPress or Canvas LMS.

Follow the Step-by-Step Guide given below for Restrict Google Apps Access.

Step 1: Configure Single Sign On (SSO) Settings for Google Apps

Login as a customer from Admin Console.
Go to Apps >> Manage Apps . Click Configure Apps button.
Click on SAML tab. Select Google Apps and click Add App button.

Make sure the SP Entity ID or Issuer is in the format: https://www.google.com.
Make sure the ACS URL is in the format: https://www.google.com/a/miniorange.in/acs.
Make sure the Single Logout URL is in the format: https://mail.google.com/a/out/tld/?logout.
Enter the Domain Administrator in Google Apps Administrator field and click on "Verify Google Apps Administrator" to verify if the domain entered is of administrator (this is an optional field).
Leave the Attributes section empty.
Under Add Policy, select Group Name and fill out Policy Name.
Select First Factor Type as PASSWORD.
Check Enable Fraud Prevention and then select Default FP Policy from Select Fraud Prevention Policy dropdown.
Click on Save to configure Google Apps.

Click on Download Certificate link to download the certificate which will be required later.

Step 2: Steps to restrict access of Google Apps outside office premises(IP Based restriction)

Go to Fraud Prevention >> Basic Policy Configuration. For Default FP Policy, select Edit.

Under IP Blocking Configuration, enter the range of IP addresses you would want to grant access and click on Allow.
Click on Save to configure the policy.

Step 3: Setup Single Sign On for your domain in Google Apps

Now Select Security Tab from Admin Console.

Go to Advanced Settings. Select Set Up Single Sign-On (SSO).

Enter Sign-In Page URL: https://login.xecurify.com/moas/idp/samlsso
Enter Sign-Out Page URL: https://mail.google.com/a/[domain_name]
Example - https://google.com/a/miniorange.com
Enter Change Password URL: https://login.xecurify.com/moas/idp/samlsso
Upload the certificate that was downloaded earlier.
Select Enable Single Sign-On checkbox and save the settings.

Step 4: Now sign in to your Google Apps account with miniOrange IdP by either of the two steps:

1. Using SP initiated login :-

Go to http://mail.[domain_name], enter your Email Address and click on Login. Now you will be redirected to miniOrange IdP Sign On Page.

Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Google Apps account.

2. Using IdP initiated login :-

Login to your miniOrange Self Service Console as an End User and click on the Google Apps icon on your Dashboard.

OR

Follow the Step-by-Step Guide given below to configure Google Apps as IdP to Single Sign On to WordPress.

STEP 1: Configure Wordpress site as SAML Service Provider in Google Apps

Go to https://admin.google.com and login to your Google Apps Administrator account.
On the Admin Home, select More Controls > Apps.

In the App Settings, select SAML apps.
Click on the "+" button at the bottom right corner to create a new SAML app.
Now select SETUP MY OWN CUSTOM APP from the popup.

On the next screen, note down the SSO URL, Entity ID URLs and download the certificate. These will be required while configuring the Plugin.
Once you have noted down the URLs and downloaded the certificate, click on Next.
Enter the Application Name and Description. Click on Next.
Configure the following things on the next screen:

ACS URL	ACS (AssertionConsumerService) URL from Step1 of the plugin under How to Setup SP in Google Apps Tab.
Entity ID	SP-EntityID / Issuer from Step1 of the plugin under How to Setup SP in Google Apps Tab.
Signed Response	Checked
Name ID	Select Basic Information from the first dropdown. Then Primary Email from the second dropdown.

Click on Next. Then click on Finish.
Now go to SAML Apps again. Click on the menu link corresponding to your app (See the screenshot). Then select ON for everyone.
From the popup, Click on TURN ON FOR EVERYONE.

STEP 2: Configuring Google Apps as Identity Provider in Wordpress Login with Google Apps plugin

In miniOrange Login with Google Apps plugin, go to IDP Setup tab and enter the following details:

Identity provider Name:	GoogleApps
SAML Login URL	The SSO URL that you noted down while configuring the Wordpress site in Google Apps.
IdP Entity ID or Issuer	The Entity ID that you noted down while configuring the Wordpress site in Google Apps.
X.509 Certificate	Open the downloaded certificate in the Notepad. Copy paste the entire content of the file here.
Response Signed	Checked
Assertion Signed	UnChecked

Click Save to configure the plugin and test the configuration by clicking on Test Configuration.

Follow the Step-by-Step Guide given below to configure Google Apps as IdP to Single Sign On to Canvas using miniOrange broker service.

STEP 1: Identify your primary Identity source and configure it in miniOrange.

Configure Google Apps to register the miniOrange broker service.
Enter following details for Service Provider details in Google Apps configuration:

ACS Url	https://login.xecurify.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY>
SP Entity ID	https://login.xecurify.com/moas/

Click here to login to miniOrange admin dashboard.
Go to Identity Sources from side menu.
Click on Configure Identity Source Button on top right corner on screen.
Add your Identity Source here entering all the required fields that you noted down while configuring Google Apps and click on SAVE button.

Step 2: Configure Single Sign On (SSO) Settings for Canvas LMS

Login to miniOrange Admin Console.
Go to Apps >> Manage Apps . Click Configure Apps button.
Click on SAML tab. Select Canvas and click Add App button.

Make sure the SP Entity ID or Issuer is in the format: https://your_domain.acme.instructure.com/saml2.
Make sure the ACS URL is in the format: https://your_domain.acme.instructure.com/saml
In the Attributes section, enter the value NameID in the Attribute Name field, select E-Mail Address from the Attribute Value list.
Click on Add Apps to configure Canvas.
Click on Download Certificate link to download the certificate which will be required later.

Step 3: Configure Single Sign On (SSO) SAML Settings in Canvas LMS

Login to your Canvas LMS domain as an Account Administrator.
Switch to Admin View from bottom-right of the screen .
Go to Admin and click on your domain name.

Click on Authentication in the left pane and select SAML from the Choose an authentication service drop down list.

Enter the following details:

IdP Entity ID	https://login.xecurify.com/moas
Log On URL	https://login.xecurify.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY>
Certificate Fingerprint	Follow the steps below to copy the Thumbprint of certificate.
Login Attribute	NameID
Identifier Format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Authentication Context	urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Open the certificate that was downloaded earlier.
Go to Details.
In the Field column, select Thumbprint.
Copy the Thumbprint that opens in the pane by pressing CTRL+C (Right-Click wont work!).
Paste the Thumbprint in the Certificate Fingerprint.
Make sure that there are no spaces in between the Certificate Fingerprint. Remove them manually.
Click the Save to save the Single Sign On (SSO) SAML settings.
Use https://your_domain.acme.instructure.com/login/saml to test the configuration.

Access Restriction to Google apps using miniOrange cloud based solution

Challenge

A new work law in some countries impose restrictions on the working hours of an employee. If a worker receives such an e-mail and has to act on it, he or she qualifies for overtime pay. In such scenario, companies can restrict access by turning off email servers physically and stop the flow of incoming messages, which is indeed not a good solution. Companies need to refrain group of employees from checking inbox after office hours.

Solution

miniOrange Google apps security along with fraud prevention dynamically analyses users request and applies time based restrictions policies to application (Google apps) access, which minimizes the risk of access after office hours. Also if user is already logged in into Google apps, miniOrange automatically logs out all the users after office hours which is configured by administrator.

Time based restriction:

Time based restrictions can be set up by configuring a policy so that employees won’t access any email after office hours. A time slot can be set up in time restriction field in which cloud application can be accessed. A report stating access deniel is received if employee tries to access the application outside the declared time slot. Time based restrictions can be set up by configuring Risk Based Access / Fraud prevention policy. Forced logout option has to be set up necessarily in order to set time restriction.

"Time Restrictions highly matter when business remuneration outflow is governed by employee working hours"

The restrictions which can be set by setting up policy during configuration of Google apps single sign-on are discussed below.

IP based restriction:

Google apps is set up for Single Sign On and access of Google apps outside office premise can be restricted by using IP based restriction. IP restriction restricts access within a network which minimizes the risk of unauthorized access. Access can be kept open for some users from outside network by creating different group for them.

Device based restriction:

Device restriction policy sets limit on number of devices from which user can access the account. This ensures that user can login only from his or her device and no one else can login to users account even if he or she knows the credentials.

Location based restriction:

With location based restriction user can setup policy to configure list of allowed locations and blocked locations. This will be needed in a case where you want to restrict your application access to specific locations and removing risk of attacks by blocking all other locations.

For further details refer :
https://developers.google.com/google-apps/sso/saml_reference_implementation
https://support.google.com/a/answer/60224?hl=en

Google Apps Security

Contents

Google apps Single Sign On using existing IdP

Setting up Google Apps as Service Provider

Restrict IPs for Single Sign On to Google Apps

Time Based restriction for users

Single Sign On with Google Apps