Google Apps Security
miniOrange provides a ready to use solution for Google Apps. This solution ensures that you are ready to roll out secure access to Google Apps to your employees within minutes.

Note : The information contained on this page does not create a joint venture, partnership, agency or other form of association, or an express or implied license grant by either party to the other under any patent, trademark, copyright, trade secret or other intellectual property right.


Google Apps Security


miniOrange provides secure access to Google Apps for enterprises and full control over access of Google Apps application, Single Sign On (SSO) into your Google Apps Account with one set of login credentials. miniOrange prevents frauds with its dynamic risk engine in conjunction with enterprise specific security policy. We support a combination of the Device Id, Location and Time of access as multi-factor authentication that can detect and block fraud in real-time, without any interaction with the user. Now you can restrict use of Google Apps only within intranet and block user access from outside network.

Contents


Follow the Step-by-Step Guide given below for Restrict Google Apps Access.


Step 1: Configure Single Sign On (SSO) Settings for Google Apps

Step 2: Steps to restrict access of Google Apps outside office premises(IP Based restriction)

Step 3: Setup Single Sign On for your domain in Google Apps

Step 4: Now sign in to your Google Apps account with miniOrange IdP by either of the two steps:

    1. Using SP initiated login :-

    1. Go to http://mail.[domain_name], enter your Email Address and click on Login. Now you will be redirected to miniOrange IdP Sign On Page.


    2. Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Google Apps account.

    2. Using IdP initiated login :-

    1. Login to your miniOrange Self Service Console as an End User and click on the Google Apps icon on your Dashboard.

OR


Follow the Step-by-Step Guide given below to configure Google Apps as IdP to Single Sign On to WordPress.

STEP 1: Configure Wordpress site as SAML Service Provider in Google Apps

  • Go to https://admin.google.com and login to your Google Apps Administrator account.
  • On the Admin Home, select More Controls > Apps.


  • In the App Settings, select SAML apps.
  • Click on the "+" button at the bottom right corner to create a new SAML app.
  • Now select SETUP MY OWN CUSTOM APP from the popup.


  • On the next screen, note down the SSO URL, Entity ID URLs and download the certificate. These will be required while configuring the Plugin.
  • Once you have noted down the URLs and downloaded the certificate, click on Next.
  • Enter the Application Name and Description. Click on Next.
  • Configure the following things on the next screen:
  • ACS URL ACS (AssertionConsumerService) URL from Step1 of the plugin under How to Setup SP in Google Apps Tab.
    Entity ID SP-EntityID / Issuer from Step1 of the plugin under How to Setup SP in Google Apps Tab.
    Signed Response Checked
    Name ID Select Basic Information from the first dropdown. Then Primary Email from the second dropdown.


  • Click on Next. Then click on Finish.
  • Now go to SAML Apps again. Click on the menu link corresponding to your app (See the screenshot). Then select ON for everyone.



  • From the popup, Click on TURN ON FOR EVERYONE.

STEP 2: Configuring Google Apps as Identity Provider in Wordpress Login with Google Apps plugin

  • In miniOrange Login with Google Apps plugin, go to IDP Setup tab and enter the following details:
  • Identity provider Name: GoogleApps
    SAML Login URL The SSO URL that you noted down while configuring the Wordpress site in Google Apps.
    IdP Entity ID or Issuer The Entity ID that you noted down while configuring the Wordpress site in Google Apps.
    X.509 Certificate Open the downloaded certificate in the Notepad. Copy paste the entire content of the file here.
    Response Signed Checked
    Assertion Signed UnChecked
  • Click Save to configure the plugin and test the configuration by clicking on Test Configuration.


Follow the Step-by-Step Guide given below to configure Google Apps as IdP to Single Sign On to Canvas using miniOrange broker service.


STEP 1: Identify your primary Identity source and configure it in miniOrange.

  • Configure Google Apps to register the miniOrange broker service.
  • Enter following details for Service Provider details in Google Apps configuration:
  • ACS Url https://auth.miniorange.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY>
    SP Entity ID https://auth.miniorange.com/moas/
  • Click here to login to miniOrange admin dashboard.
  • Go to Identity Sources from side menu.
  • Click on Configure Identity Source Button on top right corner on screen.
  • Add your Identity Source here entering all the required fields that you noted down while configuring Google Apps and click on SAVE button.



Step 2: Configure Single Sign On (SSO) Settings for Canvas LMS

  1. Login to miniOrange Admin Console.
  2. Go to Apps >> Manage Apps . Click Configure Apps button.
  3. Click on SAML tab. Select Canvas and click Add App button.


  4. Make sure the SP Entity ID or Issuer is in the format: https://your_domain.acme.instructure.com/saml2.
  5. Make sure the ACS URL is in the format: https://your_domain.acme.instructure.com/saml
  6. In the Attributes section, enter the value NameID in the Attribute Name field, select E-Mail Address from the Attribute Value list.
  7. Click on Add Apps to configure Canvas.
  8. Click on Download Certificate link to download the certificate which will be required later.


Step 3: Configure Single Sign On (SSO) SAML Settings in Canvas LMS

  1. Login to your Canvas LMS domain as an Account Administrator.
  2. Switch to Admin View from bottom-right of the screen .
  3. Go to Admin and click on your domain name.


  4. Click on Authentication in the left pane and select SAML from the Choose an authentication service drop down list.


  5. Enter the following details:
  6. IdP Entity IDhttps://auth.miniorange.com/moas
    Log On URLhttps://auth.miniorange.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY>
    Certificate FingerprintFollow the steps below to copy the Thumbprint of certificate.
    Login AttributeNameID
    Identifier Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Authentication Contexturn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  7. Open the certificate that was downloaded earlier.
  8. Go to Details.
  9. In the Field column, select Thumbprint.
  10. Copy the Thumbprint that opens in the pane by pressing CTRL+C (Right-Click wont work!).
  11. Paste the Thumbprint in the Certificate Fingerprint.
  12. Make sure that there are no spaces in between the Certificate Fingerprint. Remove them manually.
  13. Click the Save to save the Single Sign On (SSO) SAML settings.
  14. Use https://your_domain.acme.instructure.com/login/saml to test the configuration.

Access Restriction to Google apps using miniOrange cloud based solution

Challenge

A new work law in some countries impose restrictions on the working hours of an employee. If a worker receives such an e-mail and has to act on it, he or she qualifies for overtime pay. In such scenario, companies can restrict access by turning off email servers physically and stop the flow of incoming messages, which is indeed not a good solution. Companies need to refrain group of employees from checking inbox after office hours.

Solution

miniOrange Google apps security along with fraud prevention dynamically analyses users request and applies time based restrictions policies to application (Google apps) access, which minimizes the risk of access after office hours. Also if user is already logged in into Google apps, miniOrange automatically logs out all the users after office hours which is configured by administrator.

Time based restriction:

Time based restrictions can be set up by configuring a policy so that employees won’t access any email after office hours. A time slot can be set up in time restriction field in which cloud application can be accessed. A report stating access deniel is received if employee tries to access the application outside the declared time slot. Time based restrictions can be set up by configuring Risk Based Access / Fraud prevention policy. Forced logout option has to be set up necessarily in order to set time restriction.

"Time Restrictions highly matter when business remuneration outflow is governed by employee working hours"

The restrictions which can be set by setting up policy during configuration of Google apps single sign-on are discussed below.

IP based restriction:

Google apps is set up for Single Sign On and access of Google apps outside office premise can be restricted by using IP based restriction. IP restriction restricts access within a network which minimizes the risk of unauthorized access. Access can be kept open for some users from outside network by creating different group for them.

Device based restriction:

Device restriction policy sets limit on number of devices from which user can access the account. This ensures that user can login only from his or her device and no one else can login to users account even if he or she knows the credentials.

Location based restriction:

With location based restriction user can setup policy to configure list of allowed locations and blocked locations. This will be needed in a case where you want to restrict your application access to specific locations and removing risk of attacks by blocking all other locations.


For further details refer :
https://developers.google.com/google-apps/sso/saml_reference_implementation
https://support.google.com/a/answer/60224?hl=en


Business trial for free

If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387 to find an answer to your question about Google Apps Single Sign On (SSO).


Watch the videos to learn more. Watch Demo