Mobility

Take a ride on CloudPages for Google Apps

CloudPages can add more options to your Google Apps environment such as single sign-on, password recovery and contact sharing features. Find out what it offers and how it came about.

Google Apps is a platform that is rich with capabilities to fill the needs of many organizations. However, every platform has needs or gaps which can be filled in by third-party add-ons to deliver more controls and customization.

I'm fascinated with the ways in which outside organizations can determine these needs and as a systems administrator I'm a self-appointed watchdog for quality products versus those that don't fit the bill (follow me on Twitter and you're likely to see many examples of those that fit the latter category!) With that in mind I'm always up for a good product review.

I've written about two examples of powerful Google Apps add-ons; BetterCloud's FlashPanel and Arachno Orbit, both of which provide more granular and focused management and collaborative capabilities for Google Apps. Today I want to look at a third contender, CloudPages.

cloud-1.png

What is CloudPages?

CloudPages is a user management, search and directory application for Google Apps. Produced by Cloud Technology Solutions of the United Kingdom, it provides the following enhancements to the Google Apps platform:

  • Self-service password reset
  • Ability to create, manage and delete external users as shared contacts
  • Ability to synchronize users and passwords between Google Apps and an LDAP-based directory
  • Directory search of both internal and external users, with ability to export results to CSV files move/delete users, assign roles and add to contacts/mobile devices based on search parameters.
  • Reporting capabilities such as full audit logs for user activity
  • On-premises option for directory services integration
  • CloudPages also provides the ten most frequently requested additions to Google Apps:
  • Email signature management
  • Enforcement of strong passwords
  • Time-based password expiration policies
  • Smart provisioning of Google Groups (meaning these can be automatically updated with new users)
  • Smart provisioning of Google+ Circles
  • Sharing of personal Google contacts with colleagues
  • Google Apps logon restrictions based on network address or time
  • Customizable login processes, enforcement of acceptable usage agreements and mandatory attributes
  • Single Sign On via SAML (Security Assertion Markup Language)
  • Ability to search for Google Apps users on mobile devices and click to call them.

Free vs. paid

The free version provides the following capabilities:

  • Email signature management
  • Ability to reassign documents when deleting users
  • Contact sharing profile management
  • Data inheritance
  • Ability to search by various user categories
  • Self-service functions such as password resets
  • Logging and password policy features

The paid version offers more powerful features such as password recovery, 24-hour directory synchronization, single sign-on, on-premises integration, smart provisioning and further customization. Pricing details are below.

Security

CloudPages accesses to your data using standard Google APIs for provisioning, profiles, calendar, contacts, Google Docs, Google Groups and Google+. This requires you to grant access to this data (as I'll demonstrate below) and is standard for any application which interfaces with your personal or company information.

Customer passwords are not visible or stored by CloudPages, so your organization is not vulnerable should they suffer a security breach or rogue administrator.

How do you install it?

As with just about every Google-related product, CloudPages can be installed via Google Play.

cloud-2.png

(Note: the CloudPages page on Google MarketPlace will soon be upgraded and will look different from the above image).

Taking it for a test drive

I logged into my test Google Apps domain then accessed the above page and clicked "Add it now."

cloud-3.png

I reviewed the details above then clicked "Grant data access."

cloud-4.png

Clicking "Configure Application" led me to the following page:

cloud-5.png

I clicked "Complete Setup," then beheld the following screen:

cloud-6.png

Once I clicked "Allow access" I was then provided the following response:

cloud-7.png

I clicked "Return to Control Panel." I then observed the following prompt:

cloud-8.png

I opted not to wait for the confirmation email but clicked "Sign in now" to access the app, which runs on mycloudpages.appspot.com.

cloud-9.png

This showed me the main home screen of CloudPages. The search bar invited me to "Find people now." My test domain doesn't have much to search for, but a sample screenshot from CloudPages shows what a search for a user might reveal:

cloud-10.png

Note those Tags along the bottom, which can help further sort results. Furthermore, customized searches such as hunting for users with the Job Title of "Branch Manager" could yield something like this:

cloud-11.png

Clicking the "Browse" link along the top displayed the following:

cloud-12.png

Here I could work with smart groups, circles and contacts (these objects are updated based on search queries meaning they are adjusted as users are added/removed) as well as my existing test user accounts.

Here's an interesting example of what options browsing your organization object will reveal and how you might set up an Email Signature in CloudPages which can apply to all of your users (screenshot provided by CloudPages):

cloud-13.png

Those variable fields ($personalName, $personalSurname, $phoneBusiness, etc.) will then match the user fields and insert the appropriate information. Pretty cool!

Clicking "Search Results" displayed the search screens I previously covered.

Accessing the "Settings" link really illustrated the capabilities of CloudPages:

cloud-15.png

Here you can see the premium features (which are provided for one month as a free trial) as well as options such as Customization, Role Configuration, Role Assignment, Integration, SSO and GAT.

All of these are fairly self-explanatory; customization lets you set up logos, colors, and so forth, role configuration/assignment lets you administer permissions for users, integration permits sync with on-premises directory services, SSO handles single-signon and GAT (General Audit Tool) provides configuration of audit information to see what users have been sharing or collaborating on - this factors in later!

The "Logs" link offered the ability to review domain actions and activity and the "Tools" link showed me these options:

cloud-16.png

I later found that CloudPages added a navigation icon to my "Apps" menu in Chrome for easy access:

cloud-17.png

All in all, I found CloudPages quite easy to use right out of the box, so to speak, with an intuitive interface and a minimum of clutter (I'm not a fan of reading documentation, preferring instead to learn via a hands-on approach and this experience certainly fit the bill).

Removing CloudPages

Should for any reason you decide to no longer continue the use of CloudPages, it's easy to remove. Return to the corresponding Google Apps Marketplace page then click "Add it now" again:

cloud-18.png

Click "configure this application" and scroll down to the bottom of the configuration screen.

cloud-19.png

Click "Delete CloudPages" and it will be removed along with all access to your organization data.

Chatting with the creators

I'm always intrigued by how these ideas come about, so I spoke with Paul Lees, the CTO of Cloud Solutions, who was kind enough to chat with me and field the following questions:

Scott Matteson: How did the idea for CloudPages come about?

Paul Lees: We have been working within the Google Apps sector for many years, our first product in the Google Apps marketplace was CloudMigrator, a well renowned and trusted migration tool that enabled organizations to effortlessly migrate to Google Apps from any email platform. This introduced us to many early adopters of Google Apps, thought leaders who had a strong desire to simplify their internal IT as they move to "The Cloud". We could see a trend of organizations embracing Google Apps, but still requiring traditional services such as an Internal Directory/WhitePages and improved user management. At the time the Google Apps marketplace was littered with Admin Panels, replacements for the Google Control Panel, so we decided to take a different view and focus on the users instead of IT administrator. In 2011 we produced a document called "WhitePages Application (Cloud Colleague)", CloudPages was born.

With this rough specification in hand we approached some of our enterprise customers to get some real-world feedback. One of our customers (Kempinski Hotels) was also looking at a project to produce a WhitePages Application based on Google Apps. The timing could not have been any better, we partnered with Kempinski to deliver a custom version of CloudPages specifically for them.

SM: How did you develop the product?

PL: CloudPages has been developed using agile methods, the team has grown over the years but we continue to use the same methods as they suit our approach so well. The team consists entirely of remote workers and regular meetings help to keep us all moving in the right direction with very few missteps. We are also able to quickly respond to customer needs this way and can push out feature requests (when not too disruptive to the overall roadmap) very quickly.

The product moved quickly from an initial proof-of-concept to the first milestone, a fully featured Google Apps directory browser and sync tool. We had a strong set of requirements, many of which had been worked on collaboratively with major customers which kept development highly focused. Moving on from that first major internal milestone we concentrated on fleshing out functionality, particularly the search infrastructure, before we publicly launched. Since then we have pushed out new releases almost monthly, adding major new functionality with each release.

SM: How long did it take to get CloudPages to market? Any anecdotes, entanglements or trivia to share on that process?

PL: The initial development of CloudPages up the first public release took place over a year and a half. We worked closely with several existing customers during this initial period to make sure the product was both a good fit for their specific needs, whilst always considering whether a feature was more broadly required in the Google Apps marketplace. Developing in this way allowed us to organically fund the development of CloudPages rather than an extended, closed development cycle which would have required external funding.

As the authors of the CloudMigrator we already had extensive experience of the Google APIs, and through customer engagements had worked a great deal with Google App Engine, but for CloudPages we required GWT application developers who also had the right background. We were successful at quickly hiring additional good developers with the required skills, which kept the initial time to market low. CloudPages is built using Java/GWT on Google App Engine, making heavy use of both the Google and App Engine APIs. It's a fairly specific skill set, and one which not many developers often have together, but we were able to find the right people quickly.

SM: Any involvement with Google in developing CloudPages? Do they have to give permission or take a percentage or is it open per their Google APIs?

PL: We have working with the Google API team both personally and via the Enterprise support channels for many years and CloudPages proceeded much in the same way. At many stages in the products development we have gathered feedback from Google's deployment teams in many geographical areas. When we were developing the search infrastructure within the product we were using the (then) GAE experimental search API. At this time we required additional quota and worked with the Google team to get that in place. Following this we could open the search capabilities to a broader customer audience and really start to leverage its power throughout the application.

CloudPages uses the open, public Google APIs for all interaction with the Google backend. As such the only charges we incur are the Google App Engine fees. We have enterprise support for Google's cloud platform, but this and the App Engine fees are the only infrastructure fees we pay for the product.

SM: You mentioned in one of your prior emails that "we have recently integrated CloudPages with another Google MarketPlace application 'General Audit Tool'." Can you talk a bit about how that process worked?

PL: In order to provide some of the functionality we wanted to provide via CloudPages, such as Password Expiry, Acceptable Usage Policies and Login Restrictions, it was necessary to control the user login process to Google Apps. We therefore decided to develop a SAML based SSO solution into CloudPages. At one of our regular global Google Hangouts we discussed how awesome it would if our deployment team could detect what a user was doing with their Google Apps account and provide automatic advice and guidance to users who appeared to be struggling with the adoption of Google Apps as they move away from Microsoft Office. We decided that with all the other features we had planned we needed to partner so we looked around the Google Apps marketplace and found General Audit Tool for Google Apps as a possible option. We already had an existing relationship in place and after a few calls we agreed to work together.

The solution is brilliant in its simplicity. General Audit Tool creates a Google sheet containing all the metadata we need in order to determine the effectiveness of Google Apps users. CloudPages, during the login process checks this sheet and then based on a configurable threshold redirects the user to a training landing page. Thanks to this collaboration we've suddenly become very popular with organizations who develop Google Apps training sites.

We believe that we are the first Google Apps ISV's to take their existing products and provide such close integration.

SM: What would you say is the most popular/useful premium feature?

PL: The most popular premium feature was our Email Signature Management feature - I say "was" as it's no longer premium. We decided to reward our customers by providing this much requested feature free of charge to anyone who installed CloudPages. Many organizations just use CloudPages for free for Google Mail Signature Management, and we're happy with that.

CloudPages has many really useful features it's hard to say which is the most useful or most popular. However we'd have to say that CloudPages Smart Provisioning of Google Groups, Circles and Contacts is pretty sexy. Smart Provisioning allows administrators to use search in order to automatically populate Google Groups etc. So you can simply search for all users with Sales in their Job Title and create a dynamic Google Group for Sales. It's what we call hands off administration and leverages the search technology we integrated into CloudPages.

SM: Can you describe how on-premise integration works?

PL: On-premise integration enables the sync of information created and stored in CloudPages back to an on-premise directory, such as Microsoft Active Directory or any LDAP directory. Communication is carried out between CloudPages and the on-premise application using a connector application that is installed locally on the customer site. Upon certain events occurring in CloudPages calls are made to the connector application which then updates data within the on-premise system. This enables changes to user data, to the organizational structure and even password changes to be synced back to on-premise systems. Password synchronization is key for enabling the same password to be used for on-premise legacy applications and cloud-based applications.

We are all techies and we take security very seriously. All requests between CloudPages and the on-premise connector are protected using a multi-pronged approach which we are happy to share full details about with any customer.

(note: you can download their Security Whitepaper for more details)

We have built the connector application using Tomcat and through a plugin system can quickly support a range of directories. While the LDAP protocol is the same, customers often have specialized requirements for attribute syncing and password synchronization which we can deliver very quickly.

SM: Any plans for updates or new initiatives for CloudPages which you can discuss with us?

PL: The roadmap for CloudPages is packed with features. Over the next few months we'll be providing enhanced provisioning within CloudPages. Administrators will be able to define a policy so that when someone deletes a user the following workflow could happen.

  1. Password change and an email to the manager or nominated individual.
  2. Rename and hide account.
  3. Assign email address as alias to manager or nominated individual.
  4. Transfer the ownership of the user's Google Docs so the files are not deleted when the account is deleted.

We also have many more powerful features coming down the line, which we will talk about more when they are closer to release.

SM: Can we chat about price? How does it work across multiple countries/currencies?

PL: Our charging is $5/£5/5€ per user, based on geographical location.

Wrapping up

CloudPages provides a handy toolkit for administrators and users with a variety of basic free options as well as advanced paid features. The beauty of a solution like this is you just add it on and try it out. No mandatory sales calls, no extensive surveys and no cumbersome apps to install in your production environment. This really fits a nice groove with my system administrator mindset, where I like to experiment with products and then make decisions based on proven results, not pressure or hype.

For further details, check out CloudPages online or review their data sheet. You can also see the product in action by viewing their engaging Youtube video.

About

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

1 comments
ab1986b
ab1986b

The vulnerabilities are still huge:

Some high risk threats on SAML SSO solution are :

  • Replay Attacks: An attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack.
  • Man-in-the-Middle Attacks (MITM): A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.

When implementing a SSO solution and choosing a SAML library for parsing and generating SAML assertion it is important to consider the following points:

  1. XML Schema validation: ensure the SAML library validate the whole response message against the applied SAML schemas.
  2. Order and position: does the SAML library respect order and position of signed and executed elements in the message tree otherwise this can force the different processing modules to have inconsistent data views.
  3. Signature validation: SAML library must have signature validation steps.
  4. Trusted signatures: SAML library has to check that the signature was created with a trustworthy key.

Editor's Picks