SAMLServerStepByStep
From Yubico
Contents |
Yubico SAML Server Howto
The point of this document is to explain how to set up your Google Apps Premier Edition to use the Yubico SAML Server for authenticating your users using YubiKey's.
Before starting reading below, you will need the following.
- A Google Apps Premier Edition domain with (at least) one user account. We will use the domain yubikey.com and the user account simon in our example below. You will need the Premier Edition to be able to configure SAML. Check the control panel under "Advanced Tools" that you have the "Set up single sign-on (SSO)" link. For testing, you can sign up for a free 30-day trial, see the Google Apps Homepage.
- At least one YubiKey. It is recommended to reserve one YubiKey for administration of the Yubico SAML Service. Below we will use ghugtcnjbhkh as the admin key and ktvubcerndgh as an example user account.
WARNING
The Yubico SAML server is in beta and by nature experimental! Be prepared for service outages, and be sure your Google Apps Administrator is around to disable the SSO feature if there is anything wrong with our server. You have been warned!
Step 1: Configure Google Apps
Log in to your Google Apps account. Find the "Set up single sign-on (SSO)" link from the "Advanced tools" section. See this screenshot:
You need to specify the links as follows:
Sign-in page URL: http://saml.yubico.com/simplesaml/saml2/idp/SSOService.php
Sign-out page URL: http://saml.yubico.com/simplesaml/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.php
Change password URL: http://saml.yubico.com/simplesaml/
Verification certificate: Download the Yubico SAML Server Certificate and upload it.
Use a domain specific issuer: Make sure the box is enabled.
You may use https links instead. However, we are currently using a CACert certificate for the host, so it may not be known by your users browsers.
When you are finished, it should look like:
Make sure the 'User a domain specific issuer' is set if you experience problems!
Step 2: Configure the Yubico SAML Server
You will need to create an account on our SAML Server. The account will let you add the Google Apps domain, yubikey.com in this example, and to specify the mapping between users and yubikeys for your domain. The Yubico SAML Server is available from:
The first step is to enroll a user. Click on the 'please enroll here' link. Chose a username, and enter a (good!) password twice. You will then need to supply an YubiKey OTP by touching the YubiKey. For this example, we use the username yubikey.com-admin. The screen will look like this:
Click 'Enroll' and if everything works fine you will see this screen:
Now go back to the main page and login, for our example we login by using the username yubikey.com-admin and the supplied password, and a new OTP generated by touching the YubiKey. When you are logged in you will see the main administration screen. Here we want to create a new domain for yubikey.com on the SAML server, so type it in under 'Add SAML Protocol Endpoints'. The screen will look like:
After clicking on 'Add' the screen will now look like:
The domain was added successfully. The next step will be to add mappings between yubikeys and Google Apps accounts. Thus, select the 'Manage' link for your domain. Here you can manage the users for your domain. Since you just created the domain, no users will be shown on this screen. The first step is to link our Google Apps account simon to the YubiKey ktvubcerndgh. The YubiKey prefix field will remove extra characters, so you may connect the user's YubiKey and touch the button to generate a new OTP in order to fill out the YubiKey prefix in an easy way. The screen will look like:
After adding the user, the SAML Server setup is finished. You may activate and de-activate users from this screen. The finishing screen will look like:
Step 3: Testing
To test the configuration, go to the Google Apps Home Page and click on 'Returning user, sign in here' link. At the prompt, type yubikey.com and select for example Go to Calendar. The screen will look like:
Click on Go to proceed. The next page will be from the Yubico SAML server, and will request that you touch the YubiKey to generate an OTP. Note that you should use the user YubiKey rather than the admin YubiKey at this point, i.e., the ktvubcerndgh key. The screen will look like:
If everything is successful, you should now be logged in at the Google Apps Calendar with the user simon@yubikey.com. The screen will look like:
Congratulations!
Step 4: Feedback?
You may discuss the experience on the Yubico Forum. Feel free to improve this wiki page too. Contact Simon Josefsson if you need human assistance on using the server.
