GoogleApps for Education Integration with Active Directory for SSO #moodle

 
Image Source: http://t2.gstatic.com/images?q=tbn:ANd9GcS00dU5MZU1maJgoyWr8yEKnkHDqrH-hfFfXpiXafYdZ39z5pTL&t=1
Updated 3/1/2012


A question:
Is anyone integrated Google Gmail with Active Directory for a Single Sign On or password transparency? We are in the migration stage of provisioning account to Google but I and wanting to know what outers are doing to make the sign on process easier for staff.
A few responses that are worth checking out, including ones from folks I've anonymized but whom may want to speak up in the comments since I know they read this blog:


From Google's Becky Evans:
Passwords are stored in Active Directory in a proprietary way and our GADS tool isn't able to read them. There are a couple ways to work around this.
1) Save passwords as plaintext, hash them in sha-1 or hash in md5 in another field in your AD. Sync this password field with Google Apps.
2) Sync passwords using a 3rd party tool. I've worked with a few districts that have used these partners to sync passwords.
Auth MagicSSO Easy
Others:
Google Apps will not sync passwords with AD. You need to use SSO or some other type of third party.


and

For our students we ended up linking their AD credentials to Google Apps through Moodle (there are a few others on this list who have experience with this as well).  Our Moodle is linked to AD, and then you can use SSO between Google Apps and Moodle.  The issue (based on my limited knowledge of the situation) is with the password encryption in AD.  There are issues (or it just isn't possible) to extract the password from AD with the account.  The downside (or upside depending on how you look at it) is you have to login to Moodle first.  Once inside Moodle there is block (in the sidebar) with links to your Google Apps tools.  You click on those links and it takes you right into the tool without having to login.
We are actually looking at trying to have all our passwords created in our SIS, and then sync'd to AD from there (via SIF).  That way we can export account/password information directly from the SIS and sync it to third party systems.  We would also (in theory) be able to provide access for both teachers to look up their student's passwords, and parents to look up their child's username/password information (thinking about parents wanting to monitor Gmail).  The password could be reset in the SIS, and then the change would flow out to AD, and our other third party systems.  We are expecting this to help circumvent some of the AD extraction issues.

and
Google is changing some things about Apps for Ed accounts that will allow logging into integrated SSO accounts without having to use the links inside Moodle. The change is optional at the moment and will be rolled out to everyone else in a short time. It will still send you to a Moodle login page and then back to Google automatically.
In the meantime you can copy the URL from the Google Block in Moodle and create a shortcut or bookmark anywhere and the Google administrator has access to other tools for Apps Application shortcuts on the desktop. In Google Chrome (best browser for Apps), once you are in your Google Apps folder, any user can use the Tools menu to Create application shortcuts… - a great feature for any frequently used site that you don’t need tabs or other browser tool icons for.
Until Google forces the change, a work-around for many Google links outside your domain is to insert “/a/yourdomain.edu/” into the URL immediately after the “[docs.]google.com”.
A follow up response to a question about security of porting active directory passwords to external vendor systems garnered this response from Rusty Meyners:

For what it's worth, the Moodle-Google SSO system does not share a password=
 with Google but rather, Moodle login gives Google the green-light for the =

authenticated account and Google trusts Moodle to do so, without asking for=
 password. In this situation, once you are logged into Moodle, you are also=
 logged into Google, whether you choose to go there or not.
Using the Moodle Login-As feature, a Moodle administrator can then access t=
he Google account of someone in their domain, whether or not they are also =
a Google administrator for their domain - meaning if you give a teacher or =
parent Moodle "Login-As" privileges, you are also giving them access to the=
 entire Google account. Be aware that much of this appears to be accomplish=
ed with cookies, so if you get "stuck" in the wrong account, close and reop=
en the browser & if necessary empty the cache.
Here is a link to some important info about changes to Google Apps for Educ=
ation accounts. These changes will add features and better distinguish betw=
een personal "consumer" and Ed domain accounts.

http://www.google.com/support/accounts/bin/answer.py?answer=3D181963

The exchange took place on a Texas-wide email list for technology directors.





Get Blog Updates via Email!
Enter your email address:


Delivered by FeedBurner


PingIt!
Delicious Bookmark this on Delicious
Subscribe to Around the Corner-MGuhlin.org



Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

Comments

Rusty Meyners said…
I'm the person Miguel quoted 3rd in this post and I received an offlist request for links from one of the others. This is what I shared:

First link is a Moodle course I slapped together for a Moodle Mini-Moot at TCEA2010. A little dated but still relevant.
http://moodle.eustaceisd.net/course/view.php?id=204

Second is a link found on page above to a wiki covering Moodle-Google SSO integration specifically.
http://moodle.eustaceisd.net/mod/wiki/view.php?id=1101

Third & maybe most important are instructions I assembled for setting up Moodle-Google SSO. Though dated, recent feedback validates their continuing relevance.
http://moodle.eustaceisd.net/mod/wiki/view.php?id=1101&page=Setup+Single+Sign-on+Integration+of+Google+Apps+for+Education+and+Moodle

The links above are to guides I've written but following is a Google link to info about impending changes in the Apps for Ed accounts. Mainly it's a matter of adding more of the consumer account features to the Apps for Ed Edition as well as transitioning personal accounts that use an email from an Apps for Education domain - they'll need to associate it with a different email address, whether Gmail or 3rd party. This change includes a new feature that diverts a login attempt to an SSO domain's Moodle login page if pertinent.
http://www.google.com/support/accounts/bin/answer.py?answer=181963

Popular posts from this blog

#Chromecast Add-Ons to Play Various Video File Formats

Free Professional Learning! Education On Air #googleedu

10 Steps to a Blended Learning Classroom #MIEexpert #MIE #tceamie1