Google Apps SSO
My client is using Google Apps. They want to limit their internal user not to able login from outside office network. They have 250 total employees & email user, 89 of them are internal users. Can you help me with this? Thanks in advance!Info
Can you please confirm that your internal users use laptop or desktop?
We can restrict your clients google apps users in the following manner :
1. We can create two groups in our sso service. One each for external and internal users
2. For internal users, we can check if they are coming in from company’s internal network or not. If not, deny access
3. For external users, we can allow all access.
Thank you for responding my message. The internal users some are using desktop and some laptop. Yes those points will be sufficient.
I need to clarify something,
If your internal users are using a laptop, they can login inside your client’s office and then carry the laptop home. and still be able to access email since they did not logout yet and the session is valid.
You need to be aware of this. What are your thoughts?
Is your software can limit user login to certain mac address? I can tell the client about the circumstances and coordinate with them so internal users can only use desktop instead of laptop. If not, then this can be a security leak where internal user bring their own laptop from home, login at the office, and go home and access their email from home without logging out.
We can restrict the number of devices that an internal user can use to one. He wont be able to login with a second device at all so he cant get a home laptop and login even if he is inside the network.
if he really needs help, the admin can help delete the old device profile and then he can register a new device. so that way the user will need to request your clients admin.
I think this one can work. Is it possible to provide us trial for this?
Thanks in advance!
I can setup a trial for you. Do you have access to google administrator account with which we can set it up?
Thanks for your Information. We have the admin user for the Google Apps and our client allow us to work with your team to setup SSO.
how long we can use miniorange as trial version?
Please let me know the best time for you and your team to working with us to setup the SSO.Kalpesh
You will get trial for 7 days and for unlimited users. Let me know if you have any questions.
Based on our teamviewer session last time, you tell us you can bypass the login page from google to using other link. Can you give me the configuration if the link they want is mail.abc.com?
Also can you give me the CNAME configuration in their domain if using that link.
Beside that I have some question regarding our testing last time :
1. Are the miniorange password and google same and sync? take an example, if user change password from google side or miniorange,both password will sync?
2. Can miniorange integrated with Active Directory?
3. How if user want to access mail in Mail client Application (outlook, thunderbird, etc) or Mobile device (android, IOS, windows mobile, etc)?
4. How about if the user wants to activate Google 2 step verification, are the user still can use miniOrange?
Thank you for your answer.Kalpesh
To bypass the login page from google please follow steps below.
1) Add cname record for mail alias below.
Name/Host/Alias TTL* Record Type Value/Answer/Destination 0000 CNAME abc.google.com.
2) Customize a Google Apps service address :
1. Sign in to your Google Admin console.
2. From the Admin console dashboard, go to Company profile and then Custom URLs. To see Company profile, you might have to click More controls at the bottom.
3. Select the domain you want to update the drop-down list.
4. Click Change URL and fill in the form to create a custom address for Gmail service by adding a prefix mail in front of domain name.
5. Click Save changes.
For your other questions please check my answers below.
1.Ans:- As we have setup a SSO, google password will not be used. We already added password change url in google sso setting which will redirect the user to miniOrange if he clicks on change password.
2.Ans:- Yes. We support Active Directory integration with google apps SSO. I can guide you to setup AD as an authentication source for users.
3. Ans:- For a desktop client like outlook, it uses the different protocol (POP/IMAP) so you have to enable password sync between miniOrange and google.
:- User experience For Outlook client- for this, user verification will be done with Google credentials and Request is not really going to come to us. So any further security like 2 factor and device restrictions cannot be applied here.
:- For a mobile client, user experience will be same like what you can see in your browser when you login to Gmail.
4. Ans:- As SSO is enabled in google, google redirect all users to miniOrange for authentication. So if users want to use 2 Step / 2 Factor verification, they can configure it in miniOrange. We support SMS, Email, Push Notification, QR code, Google Authenticator and 15+ other two-factor authentication methods.
Thanks for the answer
for the bypass login, I need to bypass to miniOrange login page not google.
Is it correct if I redirect the mail.abc.com to auth.miniorange.com?
I create sub domain in abc.com – mail.abc.com
and I redirect that sub domain to – https://auth.miniorange.com/moas/abc.com/idp/login
But the problem is after login user must choose the apps. Can I make Gmail as default Apps, so after login, a user will redirect to Gmail?
Need your help with this asap.
I sent you steps in my last email to achieve exact usecase. If you configure google apps with previous steps, it will take user to miniOrange and will auto redirect to gmail after user login into miniOrange.
Let me know if you get any issue setting up that.
Thank you for your answer.
But if we using your step before, it will connect to google first and after that redirect to miniorange Login page right? We only want to login one time, using Google or miniorange login page.