1. No category

Enabling Single Sign On in Google G Suite

CENTRIFY DEPLOYMENT GUIDE
Centrify for Google G Suite Deployment Guide
Abstract
Centrify provides single sign-on, user provisioning and mobile device management services that you can trust
as a critical component of your corporate identity and access management infrastructure. Our thorough
approach to availability, reliability, scalability, security and privacy ensures that you can depend on Centrify as a
trusted partner and provider.
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Information in this document, including URL and other Internet Web site references, is subject to change without
notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses,
logos, people, places and events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2017 Centrify Corporation. All rights reserved.
Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure
and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft,
Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
2
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Contents
Overview ......................................................................................................................................... 4
Architecture & Cost ......................................................................................................................... 4
PREREQUISITES .............................................................................................................................................. 4
ARCHITECTURE & COST ................................................................................................................................... 4
Deployment ..................................................................................................................................... 5
CONFIGURING GOOGLE G SUITE ...................................................................................................................... 5
OPTIONAL: ADVANCED GOOGLE G SUITE CONFIGURATIONS ............................................................................... 8
Mapping specific G Suite Applications to G Suite OUs ...................................................................................... 10
CONFIGURING GOOGLE G SUITE IN CENTRIFY ................................................................................................. 13
Configuring Roles for App mapping in Centrify .................................................................................................. 13
Optional: Advanced Role mapping – multiple Centrify Roles for multiple Google OUs ...................................... 16
Configuring Google G Suite Application ............................................................................................................ 17
Configuring automated account provisioning into Google G Suite ..................................................................... 20
Configuring Centrify Role to G Suite OU provisioning ....................................................................................... 21
ENABLING SINGLE SIGN ON IN GOOGLE G SUITE ............................................................................................. 25
SECURING THE GOOGLE G SUITE MAIN ADMIN ACCOUNT ................................................................................ 28
Enabling Multi Factor Authentication for the G Suite main Admin Account ........................................................ 28
Establish workflow-based access for Super Admin account .............................................................................. 32
Verification .................................................................................................................................... 39
REQUESTING ACCESS TO G SUITE SUPER ADMIN SHARED ACCOUNT ................................................................ 39
APPROVING APPLICATION ACCESS REQUEST FROM W ORKFLOW ...................................................................... 42
Performance ................................................................................................................................. 43
Security ......................................................................................................................................... 43
Operations (logging and troubleshooting) ...................................................................................... 43
Additional Resources .................................................................................................................... 43
Appendix ....................................................................................................................................... 44
HOW TO DETERMINE YOUR PRIMARY GOOGLE DOMAIN .................................................................................... 44
CONTACT CENTRIFY ...................................................................................................................................... 46
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
3
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Overview
Google G Suite has become one of the most popular on-demand business software in the market and your
organization took the plunge to migrate to Google G Suite. You need to assign licenses to your end users
automatically, and give them single sign-on. You’re worried about Chrome Book device management and BYOD,
and how to manage all that for on-premises apps and cloud apps, too. You’ve got a few questions, and are looking
for answers. Without SSO user productivity is greatly affected, without Multi Factor Authentication the risk of
exposing inappropriate access increases and without automated account provisioning / de-provisioning IT has to
manage all accounts manually.
Centrify Identity Service provides a solution for Google G Suite that offers a complete, robust, and easy-to-use
Active Directory (AD) or LDAP integration with Google G Suite. This provides a seamless authentication experience
for Enterprise users of Google G Suite and an easy to use administrative interface for IT staff to automate the
process of on- and off-boarding employees for day one productivity.
With Centrify you can ensure that users have seamless access via single sign-on (SSO) and that their Google G
Suite accounts are created, updated, and deactivated via tight identity lifecycle controls along with the rest of the
systems in IT.
Centrify enables integration with G Suite, enabling administrators to:






Enable SSO via Federation to all Google G Suite applications: Gmail, Docs, Sites, Calendar, Analytics, etc.
Provide secure SSO with Active Directory or LDAP integration
Automatically provision/de-provision users & apps via Active Directory group memberships
Demonstrate compliance through usage auditing
Increase application ROI with seat-utilization reporting
Secure Application Access via MFA from unauthorized systems or locations
Architecture & Cost
Prerequisites
 Your will need a Google G Suite account and it needs to be a business account
 You must have administrative privileges in your Google G Suite account
 You need your own publicly resolvable domain registered and verified with Google G Suite
 You will need a certificate, either download one from the Cloud Manager or use your organizations trusted
certificate authority to create one
Architecture & Cost
Centrify Identity Service is built on the Centrify Identity Platform to provide improved end-user productivity and
secure access to cloud, mobile and on-premises apps via single sign-on, user provisioning and multi-factor
authentication. Centrify supports internal users (employees, contractors) and external users (partners, customers).
The cost of the solution is based on the features and capabilities that you need, for most up to date pricing
information visit https://www.centrify.com/products/identity-service/compare-editions/. However, you can get started
using a Trial of the solution. Centrify offers a Trial (https://www.centrify.com/free-trial/identity-service-form/ )
You should also plan for additional cost for Google G Suite user accounts, Chromebooks and other software
licenses not covered by Centrify.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
4
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Deployment
Configuring Google G Suite
These instructions assume you already have a Google G Suite Account with a verified domain.
Tip Open the Google Admin Console https://admin.google.com and the Centrify Cloud Manager
https://cloud.centrify.com/manage in two different browser windows because you will be switching back and forth
between consoles to copy and paste values in between.
1.
Log on to your Google G Suite account as admin
2.
Click on Users
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
5
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
3.
Make sure you have at least one OU within your Organization. If you don’t have an OU add one by clicking on
the three dots next to your domain name and click on Add sub organization.
Tip It makes it easier if the Organization name you are adding here matches the Role Name(s) from the Centrify
Cloud Manager. That allows for consistent Role Mapping in Centrify Cloud Manager and you’ll end up with a 1:1
Centrify Role to Google G Suite OU mapping.
4.
Enter a name for the new OU and click on Create Organization
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
6
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
5.
Repeat steps 3 to 4 until all OU’s needed have been added
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
7
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Optional: Advanced Google G Suite configurations
Google G Suite allows you to configure Organizational Units that have different access rights to applications. For
example, one group of users has access only to mail, calendar and contacts. Another group of users has access to
mail, calendar, contacts and google drive.
Centrify role mapping and automated account provisioning enable you to map roles from Centrify to Google G Suite
OUs and automatically provision users to OUs in Google G Suite to assign an application or a set of applications to
that newly provisioned user. Additionally, Centrify integration with Active Directory allows to map AD groups to Roles
in Centrify, the benefit is that Active Directory groups are directly mapped to applications in Google G Suite and any
user who is added to the group in Active Directory will automatically have access to the applications assigned to the
OU.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
8
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
9
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Mapping specific G Suite Applications to G Suite OUs
1.
Click on the three lines next to Users in the upper left corner and click on Apps
2.
Within the Apps Settings dialog click on Apps
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
10
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
There are two ways you can configure / restrict access to a specific application.
a)
You can turn access OFF at the Master setting and re-enable access on the OU level by overriding the
Master setting
b)
You can leave the Master setting ON and turn access OFF at the OU level
In our example, we will turn access OFF at the Master setting and re-enable access at the OU level which is easier if
you have a lot of Organizational Units and only one or two are granted access to a specific application.
3.
Click on the three dots next to the Application you want to assign to a specific application and select ON for
some organizations
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
11
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
4.
At the Master setting turn access OFF by clicking the blue slider button
5.
Select the OU for which you want to enable access to the application.
NOTE: Any OU not selected will NOT have access to the application
6.
Click Override
7.
Click Apply
8.
Repeat steps 3 to 7 until all applications are configured as applicable to your Organization
9.
The next step is to map Centrify Roles to Google OUs, subsequently resulting in Users who are members of the
Centrify role having access to the Apps assigned to the OU they are provisioned into
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
12
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Configuring Google G Suite in Centrify
Tip Open… the Google Admin Console https://admin.google.com,
the Google Developers Console https://console.developers.google.com
the Centrify Cloud Manager https://cloud.centrify.com/manage
in three different browser windows because you will be switching back and forth between consoles to copy and
paste values in between.
Configuring Roles for App mapping in Centrify
The first step is to configure Roles in Centrify that will be used to grant access to and to provision users into Google
G Suite. Since Google G Suite allows to restrict access to certain apps or administrative settings it is suggested to
plan at this point how to assign certain Google G Suite or administrative rights to roles
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
13
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
1.
Log into the Centrify Identity Service Cloud Manager at https://cloud.centrify.com/manage
2.
Click on Roles
3.
Click on Add Roles
4.
Enter a Name and Description for your Role
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
14
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
5.
Click on Members
6.
Click on Add
7.
In the Add Members dialog search for a User or a User Group
8.
Select the User or User Group
9.
Click Add
10. Repeat steps 5 to 8 until all users are added to the role as needed
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
15
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
11. Click Save
Optional: Advanced Role mapping – multiple Centrify Roles for multiple Google OUs
G Suite OU’s can be assigned different rights and applications. To assign specific Google G Suite or Administrative
rights to selected users or user groups you must create more than one Role in Centrify and map those Centrify
Roles to G Suite OU’s.
12. Repeat steps 1 to 10 until you added all the Roles and members to the roles as needed to map to your G Suite
OU’s
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
16
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Configuring Google G Suite Application
1.
Log into the Centrify Identity Service Cloud Manager at https://cloud.centrify.com/manage
2.
Click on Apps
3.
Click on Add Web Apps
4.
In the Add Web Apps dialog search for G Suite
5.
Click on Add for G Suite SAML + Provisioning
6.
Confirm any popup dialogs
7.
Click on Close
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
17
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
8.
The Google G Suite configuration dialog will open automatically
9.
Under Application Settings enter your Primary Google G Suite Domain
To find out your primary Google G Suite Domain name please refer to the Appendix in this document
10. Make note of the Sign-In and Sign-out page URL (Copy and paste into a text document. You will need these
URLs later in the Google G Suite Enabling SSO configuration)
11. Download the Signing Certificate to your PC. You will need this Certificate later in the Google G Suite Enabling
SSO configuration
12. Optionally you can use your own Certificate. Upload your own Certificate under Additional Options
13. Click on Save
14. Click on User Access and select a Role or Roles. Members of the Role selected here will have access to
Google G Suite if they have a valid account provisioned in Google G Suite.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
18
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
15. Optionally you can configure Policies for your Application. It is beyond the scope of this document to detail how
to configure advanced Policies. Please refer to the online help for more details about Policy configuration.
16. Optionally you can configure Account Mapping.
NOTE: Account Mapping will not be configurable when Provisioning is configured / overwritten when
Provisioning will be enabled.
Click on Account Mapping to configure how the login information is mapped to the applications user
accounts. Here you configure which attribute field from the user account store in the user database the Centrify
Identity Service will be using to be submitted as username to Google G Suite. The default value is “mail”, which
means that the Centrify Identity Service will use the email address configured in the user database and submit
that as username to Google G Suite. In most cases the default value will be used, but the configuration options
are as follows:
a.
Use the following Directory Service field to supply the user name: Use this option if the user
accounts are based on the directory service user attributes. For example, you can specify an Active
Directory field such as mail or userPrincipalName.
b.
Everybody shares a single user name: Use this option if you want to share access to an account but
not share the user name and password. For example, some people share an application developer
account.
c.
Use Account Mapping Script: You can customize the user account mapping here by supplying a
custom JavaScript script.
For example, you could use the following line as a script:
LoginUser.Username = LoginUser.Get('mail')+'.ad';
The above script instructs the cloud service to set the login user name to the user’s mail attribute value
in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is
[email protected] then the cloud service uses [email protected]. For more
information about writing a script to map user accounts, see the SAML application scripting guide.
17. Optionally on the Advanced page, you can edit the script that generates the SAML assertion if needed. In most
cases, you don’t need to edit this script. It is beyond the scope of this document to detail Advanced SAML
assertion scripting. For more information, see the SAML application scripting guide.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
19
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Configuring automated account provisioning into Google G Suite
Please make sure you completed all steps to prepare your Google G Suite Account before proceeding. Please
complete all steps in Configuring Google G Suite before proceeding.
When you change any role mappings, the Centrify Directory Service synchronizes any user account or role mapping
changes immediately.
NOTE: If you use the option to provision AD groups to G Suite, the Centrify Identity Service ignores the Destination
Group setting in Role Mappings. Provisioning users into existing groups based on roles is mutually exclusive from
provisioning AD groups. Refer to Provisioning Active Directory Groups for G Suite for more information.
NOTE: How the Centrify Directory Service determines duplicate user accounts:
If the user accounts in the Centrify Directory Service and the target application match for the fields that make a G
Suite user unique, then the Centrify Directory Service handles the user account updates according to your
instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary
field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the
application’s provisioning script to see the fields that the Centrify Directory Service uses to match user accounts.
Specify how the directory service handles situations when it determines that the user already has an account in the
target application.

Sync (overwrite): Updates account information in the target application (this includes removing data if the
target account has a value for a user attribute that is not available from the Centrify Identity Service).

Do not sync (no overwrite): Keeps the target user account as it is; Centrify Identity Service skips and
does not update duplicate user accounts in the target application.

Do not de-provision (deactivate or delete): The user's account in the target application is not deprovisioned when a role membership change that would trigger a de-provisioning event occurs.

Select Deprovision users in this application when they are disabled in source directory to enable the
feature.

If checked, a user will be deprovisioned when they are marked as disabled in the source directory.
Deprovisioning behavior and available deprovisioning options depend on what the target application
supports.
In the Sync AD Groups to Google Domains list, select as many Google Domains as you would like to sync to.
NOTE: Provisioned users will be entered into all selected groups, and those groups will all be provisioned for the
corresponding domains.
See Deprovisioning users for G Suite for information on user deprovisioning options (Delete user and Disable
user).
Select Deprovision users in this application when they are disabled in source directory to enable the feature.
When a user is disabled in a source directory, such as Active Directory, a deprovisioning job is created to
deprovision the user in the application.
To map user accounts in Admin Portal to G Suite user accounts, select a Centrify Portal Role and a
Google Destination Organizational Unit and a Google Destination Domain/Group:
A destination organizational unit (OU) is used to grant access to various resources within G Suite, such as access to
Drive, Gmail, Calendar, and G Suite Marketplace. A user can only be assigned to one OU at one time.
Tip Provisioning assigns users access and assignments based on the top-most role mapping. The order in which
the roles display in the Role Mappings section matters. The role at the top of the list has priority when provisioning
users. For instance, if a user is in multiple roles that you’ve mapped for provisioning, the Centrify Directory Service
provisions the user based on the role nearer the top of the list.
For best results, assign roles where users are only in one role. If users are in multiple roles, rearrange the order of
role mappings as desired moving the role with the highest rights to the top of the list.
For more details, see Setting up provisioning.
Note The provisioning script is intended for advanced users who are familiar with editing server-side JavaScript
code. The G Suite provisioning script supports the system attributes that are listed in the Destination folder in
the Script Help section of the Provisioning Script Editor.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
20
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Configuring Centrify Role to G Suite OU provisioning
The most common way to provision users is mapping Centrify Roles to Google OU’s as it allows you to manage
application and rights access based on the G Suite OU’s
1.
Click on Provisioning
2.
Select Enable provisioning for this application
3.
Click on Authorize
4.
Click on Allow in the Request for Permission dialog. If you are not logged on to G Suite with your administrator
account you will get prompted to authenticate first.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
21
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
5.
Once authorized additional configuration options will become available.
Please refer to the Centrify Online help for additional information for the individual configuration options
https://docs.centrify.com/en/centrify/appref/index.html?version=1490127889#page/cloudhelp%2Fg-n%2Fsaasprov-GoogleApps.html%23wwconnect_header
Scroll down to configure the account synchronization information behavior applicable for your Organization.
6.
Under Role Mappings click on Add
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
22
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
7.
Select the Centrify Roles that you want to map to your G Suite OUs and click on Add. Click Done once you
configured all your Role Mappings
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
23
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
8.
Optionally a destination domain and destination group can be configured.
You can create and manage groups for your organization using the Groups control in the Admin console. With
the Groups control, you can create basic groups that people in your organization can use as mailing lists.
People can then use a single address to send mail to the entire group, or invite the group to a meeting or to
share a document. These Admin console groups make it easy to:
9.

Communicate with groups of people. For example, groups can be useful for departments, project teams,
classes, office locations, special-interest groups, and more.

Manage access to documents, sites, videos, and calendars. Users can share their content with groups
instead of entering individual addresses.
Click Done
10. Repeat steps 6 to 9 until you mapped all Centrify Roles to G Suite OU’s as applicable to your organization
11. Click Save
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
24
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Enabling Single Sign On in Google G Suite
1.
Log on to your Google G Suite Admin Console
2.
Click on Security
3.
Click on Setup Single Sign-on (SSO)
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
25
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
4.
Copy and paste the Sign-in page URL and Sign-out page URL from Centrify Cloud Manager (Step 10 in
Centrify Identity Service basic Google G Suite configuration)
Paste the Sign-in URL into both the Sign-in URL and Change Password URL field
.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
26
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
5.
Click on Chose file and select the Certificate downloaded in step 11 in Centrify Identity Service basic Google
G Suite configuration
6.
Click Upload
7.
Click Save Changes
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
27
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Securing the Google G Suite Main Admin Account
The main admin account for Google G Suite cannot be federated with an Identity Service Provider. To ensure proper
security for the main admin account best practice dictates to enable Multi Factor Authentication for the main admin
account.
In addition, the main admin account can also be protected using Centrify shared account workflow. That allows
access to Google G Suite without exposing the admin password protected by workflow. However, if MFA is enabled
for the main admin account any individual who might need access to the main admin account via the shared account
within the Centrify Identity Service must have their mobile device first enrolled with the Google MFA service.
Enabling Multi Factor Authentication for the G Suite main Admin Account
1.
Browse to https://admin.google.com/AdminHome
2.
Log on using your main admin account
3.
Click on Users
4.
Click on the main Admin Account
5.
Within the admin view click on Show more
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
28
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
6.
Click on Security
7.
Click on the ? next to 2-step verification
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
29
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
8.
Follow the onscreen instructions provided by Goggle to setup 2-step verification for the G Suite main admin
account. The basic steps are:
a.
In your Google Admin console (at admin.google.com)...
b.
Click Security > Basic settings.
c.
Under 2-Step Verification, check Allow users to turn on 2-step verification.

This makes 2-Step Verification available for your users, but does not automatically enroll them. To enroll,
users need to configure their verification settings individually. See Turn on 2-Step Verification.

Once all users have enrolled in 2-Step Verification, you may enforce its use following the instructions
in Manage your users' security settings.

d.
Go to the 2-Step Verification page. You might have to sign in to your Google Account.
e.
Select Get started.
f.
Follow the step-by-step setup process.
Once you're finished, you'll be taken to the 2-Step Verification settings page. Review your settings and add
backup phone numbers. The next time you sign in, you'll receive a text message with a verification code.
You also have the option of using a Security Key for 2-Step Verification.
NOTE: To ensure that you can access your account in the future, add an email recovery option as well.
NOTE: To use 2-Step Verification and security keys you need to have a mobile phone that can receive the
verification code via text message or phone call, or an Android, BlackBerry, or iPhone. These devices use
the Google Authenticator mobile app to generate the verification code.
NOTE: If SAML single sign-on (SSO) is enabled for your domain Google's 2-Step Verification will not apply when
logging on through your SSO. Super Administrators, however, can login via both Google and SSO IdP. If the login
goes through Google and 2-Step Verification is configured, the admin is prompted for the 2nd factor. If the login
goes through SSO IdP, even if 2-Step Verification is configured, we don't prompt for the 2nd factor. See Partneroperated SAML Single Sign-On (SSO) Service for G Suite for additional details on using SSO for your domain.
9.
Once you have enrolled in 2-step verification you can choose to add different methods for verification. The
following options are available
a.
Backup codes
These printable one-time passcodes allow you to sign in when away from your phone, like when you’re
traveling.
b.
Google prompt
Get a Google prompt on your phone and just tap Yes to sign in.
c.
Centrify Mobile app
Use the Centrify app to get free verification codes, even when your phone is offline. Available for
Android and iPhone.
d.
Backup phone
Add a backup phone so you can still sign in if you lose your phone.
e.
Security Key
A Security Key is a small physical device used for signing in. It plugs into your computer's USB port
10. Please follow the Google instructions on how to setup additional 2-step verification options.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
30
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
31
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Establish workflow-based access for Super Admin account
To give multiple administrators access to the Super Admin account without exposing the password to more than
truly necessary employees you can configure the Centrify Identity Service for shared account access with workflow
based access.
In this use case an administrator who needs access to the G Suite console using the Super Admin account would
have to request access to the account using the Centrify Identity Service User Portal and would only be able to
launch the G Suite console from the Centrify Identity Service User Portal without the G Suite password being
exposed to the requestor.
1.
Log on to the Centrify administrator console
https://cloud.centrify.com/manage
2.
Click on Apps
3.
Click on Add Web Apps
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
32
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
4.
In the Add Web Apps dialog search for G Suite
5.
Click on Add G Suite User Password
6.
Confirm add dialog
7.
Close the Add Web Apps dialog. The configuration dialog for G Suite User Password will open automatically.
8.
Within the G Suite configuration dialog click on User Access
9.
Select the User Roles that you want to give access to the Application Connector to
NOTE: If a user is already member of a role selected here workflow based access will not take effect. User
Access Roles take precedence over workflow access requests.
10. Click Save
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
33
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
11. Click on Account Mapping
12. Select Everybody shares a single user name
13. Enter the administrative username and password for your G Suite account
14. Click Save
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
34
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
15. Click on Advanced
16. In the scripting section replace the <COMPANY_ID> with your G Suite Domain Name. You must replace
<COMPANY_ID> leaving only the single quotation marks.
Example:
Replace:
var companyId = '<COMPANY_ID>'; // replace with your G Suite domain name
if (companyId == '<COMPANY_ID>' ) {
throw 'Please use your Google Apps domain name';
}
With:
var companyId = 'democentrify.us'; // replace with your G Suite domain name
if (companyId == '<COMPANY_ID>' ) {
throw 'Please use your Google Apps domain name';
}
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
35
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
17. Click on Workflow
18. Select Enable Workflow for this application
19. Click on Add for the Approver List
20. Select either the Requestor’s Manager (In this case the Centrify Identity Service will use the name from the
managers’ attribute field in Active Directory)
21. Or Specify User or Role
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
36
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
22. Selecting User or Role will allow you to select individual users or roles. Search for users or roles in the Select
User or Role dialog
23. Select the user or role you want to configure as approver for access requests to G Suite
24. Click on Add
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
37
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
25. If you selected more than one role under User Access you will be able to select Requestor Assignable Roles
26. Select the Role to which the requestor is supposed to be assigned
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
38
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Verification
Requesting Access to G Suite Super Admin shared account
Users who do not have the Super Admin Password to log on as the Super Admin account must go through the
Centrify Identity Service User Portal and use the workflow protected Application tile to log to G Suite as Super
Admin.
1.
Log on to the Centrify User Portal https://cloud.centrify.com/my as a requesting user
2.
Click on Add Apps
3.
Search for G Suite in the Add Apps dialog
4.
Click on Request for G Suite User Password
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
39
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
5.
Confirm the access request dialog
6.
Close the Add App dialog
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
40
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
7.
Upon approval, the Application tile for the shared account, which is different from the users regular G Suite
account, will show in the users Centrify User Portal
8.
To log on to G Suite as Super Admin the user simply clicks on the G Suite Shared Account application tile
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
41
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Approving Application Access Request from Workflow
1.
Log on to the Centrify Identity Service user portal as a user who is configured as approver for G Suite
2.
Click on Requests
3.
Select the request you want to approve
4.
Select Approve from the Actions dropdown menu
5.
Confirm the approval dialog
6.
The requesting user will now have access to the G Suite shared Super Admin account
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
42
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Performance
Centrify service is managed to provide optimal performance for every customer by the Centrify Ops team. Each
customer can however increase the reliability for the connectivity to the on-premises Active Directory environment
by adding additional Connectors. This will provide additional capacity as well as fault tolerance for user
authentication to the G Suite environment for your users.
Security
Security of the Centrify Identity Platform:

Centrify operates as a managed offering where all data is encrypted uniquely for each customer.
Please review the Centrify Identity Platform Trust and Security white paper for more detail
https://www.centrify.com/resources/centrify-identity-platform-trust-statement/
Security considerations for user authentication:




Improve security by eliminating easily cracked, recycled or improperly stored passwords
You should also consider turning on one of several Multi-Factor Authentication mechanisms that are built
into the Centrify solution for ensuring authorized access by the right person at every authentication point
within the solution.
o
Learn more about Centrify MFA Solutions: https://www.centrify.com/solutions/why-multi-factorauthentication/
o
Read HowTo articles on MFA: http://community.centrify.com/t5/TechBlog/bg-p/techblog/labelname/mfa
Create comprehensive user access policies that span across apps and devices
Manage and control application provisioning and entitlements
Operations (logging and troubleshooting)
Centrify provides full audit logging across our products designed to rapidly assist administrators with any challenges
they may face.
Centrify Identity Service logs all activity and provides access to the events through both Dashboards and Reports
within the Identity Service portal.
Troubleshooting can be found on the Centrify support site https://www.centrify.com/support/ as well as in the
Administrator’s Guide https://www.centrify.com/support/documentation
Additional Resources
Learn more about the Centrify solution for Securing your enterprise:


https://www.centrify.com/solutions
https://www.centrify.com/products
Visit the Centrify Community where you will find the TechCenter and TechBlogs for additional guidance, tips and
tricks or join the discussion and ask questions.

http://community.centrify.com/google
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
43
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Appendix
How to determine your Primary Google Domain
1.
Log on to your Google G Suite account with an Administrator account
2.
In the Admin Console click on More Controls (more options will appear)  click on Domains
3.
Click on Add Remove Domains
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
44
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
4.
The Domain listed on the left is your Primary Domain
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
45
CENTRIFY FOR G SUITE DEPLOYMENT GUIDE
Contact Centrify
Centrify strengthens enterprise security by managing and securing user identities from cyber threats. As
organizations expand IT resources and teams beyond their premises, identity is becoming the new security
perimeter. With our platform of integrated software and cloud-based services, Centrify uniquely secures and unifies
identity for both privileged and end users across today’s hybrid IT world of cloud, mobile and data center. The result
is stronger security and compliance, improved business agility and enhanced user productivity through single signon. Over 5000 customers, including half of the Fortune 50 and over 80 federal agencies, leverage Centrify to secure
identities.
Learn more at www.centrify.com.
Santa Clara, California: +1 (669) 444-5200
Email:
[email protected]
EMEA:
+44 (0) 1344 317950
Web:
www.centrify.com
Asia Pacific:
+61 1300 795 789
Brazil:
+55 11 3958 4876
Latin America:
+1 305 900 5354
Copyright © 2005-2017 Centrify Corporation.
© 2017 CENTRIFY CORPORATION. ALL RIGHTS RESERVED
46

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz