Cipafilter Support:
Support@Cipafilter.com
309 517 2022 option 2
Mon - Fri 7 AM - 6 PM CT
Google OAuth
Posted by Jim Giseburt on 11 April 2017 05:02 PM

Google APIs support the use of the OAuth 2.0 protocol; among other things, this allows Cipafilter to securely interface with Google Apps domains for the purpose of authentication.

Two distinct but related Google authentication methods are provided by the Cipafilter software: a back-end service and a portal front-end.

Google OAuth back-end

Adding Google OAuth to the authentication services on the Content Filtering page enables the Google OAuth back-end feature. This provides for Google Apps itself to act as a directory service, bypassing the need for an LDAP server at all. When this feature is selected, the Cipafilter will check for a user's existence in Google Apps and, if applicable, derive group memberships from that user's Google Apps groups (aka distribution lists).

There are some caveats to this authentication method, however, which do not apply to the LDAP methods. Most notably, Google does not support actual credential authentication through their APIs; because of this, the Cipafilter can not directly perform user-name and password validation against Google Apps user accounts. Instead, authentication may be provided by the Google OAuth front-end feature (described below) or by a compatible Cipafilter authentication client. The authentication clients for Windows and OS X can "simulate" a successful Google log-in when the user's domain or work-station user name matches that of their Google Apps account; the authentication is assumed to be successful based on the fact that the user was able to log in to the work station.

The Google OAuth back-end does not work with browser proxy prompts or with the Cipafilter Chrome Authenticator extension.

Google OAuth front-end

Checking Use Google OAuth for portal authentication on the Content Filtering page activates the Google OAuth portal front-end. This feature enables the captive portal system to hand off authentication to Google itself, which subsequently reports the success or failure of the operation back to the Cipafilter. After confirming the success of the user's log-in, the Cipafilter can use any configured authentication service to match the user to a group.

Example: Suppose Central High School has an internal Active Directory server as well as Google Apps accounts for all students. A student named Joe Bloggs has an account jbloggs in Active Directory, and an account jbloggs@centralhigh.edu in Google Apps. With the Google OAuth front-end feature, Joe can sign in to the portal with his Google e-mail address, and the Cipafilter will match the user name from that address to the user name in Active Directory. Upon finding a match, the filter will use the Active Directory groups to place the user into the appropriate group on the filter.

This feature can also be used in conjunction with the Google OAuth back-end (described above). By combining the two, organizations can use Google Apps as a complete substitute for more traditional directory services.

Because it requires Web-based interaction from the users themselves, the front-end feature is only beneficial to portal users; it does not affect browser proxy prompts or Cipafilter authentication clients.

Combining Google OAuth with LDAP

For organizations looking to combine traditional LDAP services with Google authentication, Google provides a free product for Windows and Linux calledGoogle Apps Directory Sync, which automatically synchronizes directory information between Google Apps and a local LDAP server.

Using this synchronization solution is generally more robust than the Google OAuth back-end, due to the limitations described above.

Google OAuth initial setup

Both the front-end and back-end Google OAuth features require a one-time setup on the Google Apps side before they can be used with the Cipafilter:

  1. Log in to the Google Admin Console for your organization's domain via admin.google.com. (If this link doesn't work, try browsing tohttps://google.com/a/yourdomain.com, where yourdomain.com represents your organization's Google Apps domain.)

  2. From the front page of the Admin Console, click Security, then API reference; then, under the API access section, check Enable API access. A Save changes button will appear at the bottom of the page; click it. Note: This settings change can take up to 24 hours to take effect.

  3. Log in to the Google Developers Console via console.developers.google.com.

  4. Click the drop-down menu at the top of the Developers Console page, and select Create a project.... You will be prompted for a project name and ID; enter Cipafilter OAuth or similar for the name (the ID can be left as the default), then click Create.

  5. After a moment, you should be directed to the dashboard for the new project (if not, go back to projects drop-down and click on the new project name). On the left-hand side of the screen, click APIs under APIs & auth.

  6. Under the API Library tab, locate the Admin SDK and Google+ API options, and enable them by clicking their names and then clicking Enable API. Note: This settings change can take up to 24 hours to take effect.

  7. On the left-hand side of the screen, under APIs & auth, click Credentials.

  8. Click the OAuth consent screen tab and enter (at least) an Email address and Product name, then click Save. The information on this tab will be used to display the consent screen that users see when they try to authenticate via Google.

  9. Click back to the Credentials tab, then click the Add credentials drop-down and select OAuth 2.0 client ID.

  10. On the next page, select Web application. A series of configuration fields should appear.

  11. Under Name, enter a memorable name for the client ID you're creating, such as Cipafilter OAuth.

  12. Leave the Authorized JavaScript origins section blank.

  13. Under Authorized redirect URIs, paste each of the Redirect URIs listed on the Authentication tab of the filter's Content Filtering page. (You may have to copy and paste each line individually.)

  14. Click Create. After a moment, you will be shown a dialogue containing the OAuth client ID information. (You can view this information later by clicking the client ID name you entered previously from the Credentials tab.) This information will be used to configure the filter.

Having completed the initial configuration on the Google side, you should be able to configure the Cipafilter itself:

  1. In another tab or window, access the Cipafilter Web interface, then navigate to the Content Filtering page, then to the Authentication tab, and scroll down toGoogle OAuth Settings.

  2. Paste the client ID from the Google Developers Console into the Client ID for Web Application field on the filter interface.

  3. Paste the client secret from the Google Developers Console into the Client Secret for Web Application field on the filter interface.

  4. Enter your Google Apps domain name (e.g., yourdomain.com) into the Google Apps Domain field.

  5. Click Save and Apply.

  6. On the same page, click Authorize a Google Domain Administrator Account. Note: You may have to be filtered behind the Cipafilter for this link to work correctly.

  7. You will be redirected to Google. If prompted to log in, do so. Note that you must use an account that has administrator access to the Google Apps domain you're configuring. Google will prompt you to allow Cipafilter's OAuth feature to view user and group information the domain; click Accept.

After following all of the steps above, you should be redirected back to the Cipafilter's Content Filtering page, where the Google Access Token field should show OK. At this point, you should be able to select any of the Google OAuth-related features you'd like to use — see those options' respective descriptions for more information.

(0 vote(s))
Helpful
Not helpful

Comments (0)
©Cipafilter 2017. All Rights Reserved.