It’s no secret that web apps complicate password management–each new app means another password to keep up with. The number of logins you need can get out of control quickly.
Saved passwords can help. For example, login to Chrome then choose to save and sync your passwords. When you login to Chrome on any other device, Chrome can fill in your information for you. If you don’t use Chrome, a password management tool like Lastpass Enterprise or Dashlane for Teams offers a similar service not linked to a specific browser.
However, if that isn’t enough, Google Apps offers a solution that reduces the number of logins required to access your web apps: Single Sign On (SSO). Users login with their Google Apps credentials, then access third-party applications. No need for an additional username or password. SSO reduces the number of passwords people need to manage.
Google Apps supports SSO with Security Assertion Markup Language (SAML), a standard way to exchange credentials between apps. A Google Apps administrator configures the connection to a third-party app, then users access the app from the App Launcher.
From a management standpoint, SSO also improves security. Identity management occurs in fewer places. And, an administrator may add or remove access to apps as needed–in one place, rather than in two or more.
As of October 2015, Google offers preconfigured connections to 17 web apps. These apps include databases (e.g. Salesforce, SugarCRM, and NetSuite), meeting tools (e.g. BlueJeans, Citrix GoToMeeting, and WebEx), and storage services (e.g. Amazon Web Services and Dropbox). A Google Apps administrator can create a connection between Google Apps and any other app that supports SSO with SAML.
I configured a connection between Google Apps and Dropbox for Business with one of the pre-configured connections in just a few minutes. Here’s the process. (You need administrative access to both Google Apps and the third-party app to which you wish to connect.)
Configure Google Apps
1. First, login at http://admin.google.com with your Google Apps administrator credentials. Choose “Apps” from the console, then “SAML Apps.” Select the large plus button in the lower right to add a connection.
2. Select Dropbox from the list of preconfigured connections. On the next screen, I chose to download and save the Certificate (option 1, which downloads an X.509 Certificate file with a .pem suffix). Once saved, I selected “Next”.
3. I then captured and resized an image of the Dropbox logo to 256 x 256 pixels, and uploaded it. Even though it’s optional, don’t skip this step, because whatever logo you upload will be the icon people see when they look for the app in the App Launcher. Make sure the image accurately represents the service. Once uploaded, I chose “Next”.
4. Finally, I wrote down the default Dropbox service provider details, then hit “Finish”.
Configure the third-party app
5. Next, I logged into Dropbox.com and selected the Admin Console. I selected “Authentication” and checked the box to enable “Single Sign On.”
6. I filled in the sign-in URL (from the Google Apps setup step 4 above), and uploaded the Certificate (obtained in step 2 above). Then selected “Save changes.”
Remember, you still need to establish an account at the third-party services for each member of your Google Apps domain that needs one. The SSO and SAML connection eliminates the need for separate logins, but it doesn’t handle account creation.
Enable the app
7. Return to your Google Apps Admin console (admin.google.com), and navigate to Apps, then SAML Apps.
8. You should see Dropbox listed with a status of “OFF.” Choose the three buttons to the right of this, to enable the app. You can enable it for everyone, or for an organizational unit.
Launch and login securely
Once established, people in your organization can select the app from the App Launcher to login with their Google Apps account information.
Users no longer need to save passwords for each service. Instead, people only need to remember their Google Apps account credentials.
SSO and SAML may also help increase security, since not all third-party apps require two-step authentication. Here’s how: Configure Google Apps to require two-step authentication, then connect your third-party app with SSO and SAML. That way, in order to launch the third-party app, users must first authenticate with their Google Apps account, which will require two-step authentication.
If you use Google Apps and any other web application that supports SSO and SAML, take the time to connect the apps. A little work by an administrator today will make app access faster and easier in the future.
What do you think?
Have you connected any apps to Google Apps with SSO and SAML yet? If so, which apps? Share your configuration tips and experience in the comments below.