Go to the profile of salmaan rashid
salmaan rashid

Simple SAML SSO server for Google Cloud and Apps

This is a simple test SAML SSO server.for Apps and Cloud.

This script acts as your company’s SSO system’s login server. Once configured, if you attempt to access any google property (Cloud, Apps), you need to login via this script first (i.,e the script is acting as an Identity Provider (IdP) while Google is the Service Provider (SP). The script will issue a SAML assertion that google ‘understands’ and will proceed to log you into Cloud or your apps account.

Note: while this SSO server will log you into Cloud and Google Apps, only a google apps resources right now does an automatic redirect to this script. In other words, once this is configured, if you first go to https://mail.google.com/a/<yourdomain.com> you will get redirected to this script and login as its your IdP. However, if you go to https://cloud.google.com/ no such automatic redirect takes place (though you will see the general login page for Google into which if you enter you@yourdomain.com on the login page, you will get redirected to the IdP).

This demonstrates SAML SSO with google properties and is is intended for testing/POC only

The script basically runs a SAML IDP within a docker container and this post itself is just a copy of my github page on the same topic:

[https://github.com/salrashid123/googlapps-sso]https://github.com/salrashid123/googlapps-sso)

To use:

Since we’re demonstrating SSO between a google Apps domain and Cloud, you’ll need a test Google Apps Domain (in this document, its yourdomain.com)

Configure Google Apps SAML/SSO

  1. Login to your google apps admin console (admin.google.com/a/yourdomain.com)
    Navigate to Apps SSO Config
    set following config depending on where you’re running the IDP:
 Login: https://sso.yourdomain.com:28080/login
 Logout: https://sso.yourdomain.com:28080/logout
 Change Password: https://sso.yourdomain.com:28080/passwd
 upload the public cert (ssl.crt)

NOTE You do not ofcourse have to use the certificates provided here. You can simply issue your own self-signed certificates as shown below:

Create public/private keypair or use ones provided in repo (remember to set the CN= to your domain; then CN provided in this repo is for sso.yourdomain.com)

If you want to generate your own keypairs:

openssl req -x509 -newkey rsa:2048 -keyout ssl.key -out ssl.crt \
 -days 365 -nodes

2 . Edit your local /etc/hosts file to point sso.yourdomain.com to the system running the container or SSO server

/etc/hosts 127.0.0.1 localhost sso.yourdomain.com

3. There are several ways to run the image (in order of ease of use):

Run the the pregenerated image directly from DockerHub
Build and run the Docker image locally.
Install the python libraries and run the script without Docker entirely.

Pull from dockerhub

pull salrashid123/appsso

  • To use the certificates from this github repo, download ssl.key, ssl.crt into /tmp/certs (for example)
  • If you generated your own certs and uploaded those to the Google Apps SSO configuration page, copy those certificates to /tmp/certs
  • run the image salrashid123/appssso from docker registry but specify which folder to act as the map volume (so that your local certificates are visible to the container)
docker run -t -p 28080:28080 -v /tmp/certs/:/certs/:ro salrashid123/appssso \
—debug \
—use_ssl \
—cert_file=/certs/ssl.crt \
—key_file=/certs/ssl.key \
—key_blank_pwd

or Build docker local

  1. Install docker
  2. Make a folder called sso and copy apps.py and Dockerfile only.
  3. As before, either generate new certificates or use the ones from this repo but place them into a folder you can map to the container (e.g. copy ssl.key, ssl.crt to /tmp/certs). You can, ofcourse, copy the certificates into the image at build time. If you do that, copy the certs into the ‘sso’ folder from step 2 and omit the volume map and directoy /certs/ while running the container.
  4. Create the docker container
docker build -t appssso
  1. Run the container (assuming your local certs exist at /tmp/certs)
docker run -t -p 28080:28080  -v /tmp/certs/:/certs/:ro appssso \
--debug \
--use_ssl \
--cert_file=/certs/ssl.crtkey_file=/certs/ssl.key \
--key_blank_pwd
  1. At this point, the IDP is running locally on port sso.yourdomain.com:28080
  2. If you attempt a new login to https://mail.google.com/a/yourdomain.com, you will get redirected to a login screen on your IDP —

The IDP will authenticate ANY user in your apps domain so if you have a user called user1@yourdomain.com, enter in ‘user1’, any password and yourdomain.com in the IDP login screen

  1. If successful, you will get redirected to the SAML POST binding screen so you can see the actual XML signed POST text.

Click continue and if the sigatures and validUntil= parameters are ok, you will be logged in as user1

or Run the IDP outside of a container

This is rather difficult to setup as you’ll need to configure your workstation for pyxmlsec and all its dependencies

  1. Dowload app.py and install the prerequisites via apt as shown in the script instructions
  2. Download, compile pyxmlsec (forget trying to install it on windows)
  3. Run
python apps.py --debug --use_ssl --cert_file=ssl.crt \
--key_file=ssl.key --key_blank_pwd