Google Workspace LDAP Synchronization with AuthPoint

Deployment Overview

This document describes how to sync users from Google Workspace to AuthPoint. To sync users from Google Workspace, you must add an LDAP external identity in AuthPoint and create one or more queries.

In AuthPoint, LDAP external identities represent external user databases. They connect to user databases to get user account information and validate passwords. The queries you add to an external identity specify which users to sync from. They pull user information and create AuthPoint user accounts for the users that are found.

Google Workspace does not support identity provider initiated single-sign on (SSO) for AuthPoint. This means that Google Workspace resources do not work from the IdP portal. Users must go to the Google Workspace URL to log in.

Topology

Before You Begin

Before you begin these procedures, make sure that:

• End-users can log in to Google Workspace
• A token is assigned to a user in AuthPoint

Configure Google Workspace

1. Log in to Google Workspace as an administrator.
2. From the navigation menu, select Apps > LDAP.

3. Click Add Client.

4. Enter a name and description for this LDAP client. In our example, we name the LDAP client AuthPoint.
5. Click Continue.

6. Specify the access permissions for the LDAP client. In our example, we select Entire domain.

7. Click Add LDAP Client.

8. Click Download certificate. You need this certificate to complete the steps in the next section.
9. Click Continue to Client Details.

10. Click Access credentials.

11. Click Generate New Credentials.
    The Access credentials screen appears with the generated credentials.

12. Record the generated credentials (user name and password).
13. Click Close.

14. Navigate back to the LDAP client settings page.
15. Click Service Status.

16. Select ON for everyone.
17. Click Save.

18. Verify that the status of your LDAP client is on.

Configure Stunnel

1. Install stunnel. For example, on Ubuntu you would type this command:
   $ sudo apt-get install stunnel4
2. Copy the Google Workspace certificate that you downloaded in the previous section to the stunnel folder (/etc/stunnel).
3. Create a configuration file /etc/stunnel/stunnel.conf with these contents (ldap-client.crt is the certificate and ldap-client.key is the key):
   [ldap]
   
   client = yes
   
   accept = 1389
   
   connect = ldap.google.com:636
   
   cert = /etc/stunnel/ldap-client.crt
   
   key = /etc/stunnel/ldap-client.key
4. To enable stunnel, edit /etc/default/stunnel4 and set ENABLED=1.
5. Restart stunnel with this command:
   $ sudo /etc/init.d/stunnel4 restart

If stunnel does not run, use this command to reload the stunnel configure file: $ sudo stunnel stunnel.conf

Configure AuthPoint

Before you can sync your users to AuthPoint, you must:

• Add a user group.
• (Recommended) Configure authentication policies Authentication policies specify which resources users can authenticate to and which authentication methods they can use (Push, QR code, and OTP). for your groups and resources.
• Configure an external identity

Add a Group in AuthPoint

You must have at least one user group in AuthPoint to configure MFA. If you already have a group, you do not have to add another group.

To add a group to AuthPoint:

1. From the navigation menu, select Groups.
2. Click Add Group.
   The New Group page appears.

3. In the Name text box, type a descriptive name for the group.
4. (Optional) In the Description text box, type a description of the group.

5. Click Save.
   Your group is listed on the Groups page.

Add an Authentication Policy to AuthPoint

Authentication policies specify which resources users can authenticate to and which authentication methods they can use (Push, QR code, and OTP).

We recommend that you configure authentication policies for your resources before you sync users form your external database to AuthPoint. If you already have authentication policies, you do not have to create a new authentication policy. You can add this resource to your existing authentication policies.

Users that do not have an authentication policy for a specific resource cannot authenticate to log in to that resource.

To configure an authentication policy:

1. From the navigation menu, select Authentication Policies.
2. Click Add Policy.

3. Type a name for this policy.
4. From the Select the authentication options drop-down list, select Authentication options and select which authentication options users can choose from when they authenticate.

   For SAML resources, if you select more than one authentication option, users must select one of the available options when they authenticate. For example, if you select OTP and Push, users can choose to type their OTP or approve a push to authenticate. You cannot require that they do both.

5. Select which groups this policy applies to. You can select more than one group. To configure this policy to apply to all groups, select All Groups.
6. Select which resources this policy applies to. To configure this policy to apply to all resources, select All Resources.

7. (Optional) If you have configured policy objects such as a Network Location, select which policy objects apply to this policy. When you add a policy object to a policy, the policy only applies to user authentications that match the conditions of the policy objects. For example, if you add a Network Location to a policy, the policy only applies to user authentications that come from that Network Location. Users who only have a policy that includes a Network Location do not get access to the resource when they authenticate outside of that Network Location (because they do not have a policy that applies, not because authentication is denied).

   If you configure policy objects, we recommend that you create a second policy for the same groups and resources without the policy objects. The policy with the policy objects should have a higher priority.

8. Click Save.
   Your policy is created and added to the end of the policy list.

   When you create a new policy, we recommend that you review the order of your policies. AuthPoint always adds new policies to the end of the policy list.

Configure an External Identity

The steps in this section are specific to Google Workspace. To learn how to sync users from Active Directory or other LDAP databases, see Sync Users from Active Directory or LDAP.

1. Select External Identities.
2. From the Type drop-down list, select LDAP. Click Add External Identity.

3. In the Name text box, type a descriptive name for the external identity.
4. In the LDAP Search Base text box, type the domain name for your Google account. for example, if your Google email domain name is yourgoogle.com, you would type dc=yourgoogle,dc=com.
5. Enable the toggle that says If your system account user is not in the Users CN, enable this option and type the user's DN below.
6. In the System Account and Passphrase text boxes, type your Google Workspace access credentials.
7. From the Synchronization Interval drop-down list, select Every 1 hour.

8. For Type, select Others.
9. In the Domain text box, type the domain name for your Google account.
10. In the Attribute related to the first name text box, type givenName.
11. In the Attribute related to the last name text box, type sn.
12. In the Attribute related to the user email text box, type mail.
13. In the Main attribute to the LDAP user text box, type uid.
14. In the Attribute related to the user login text box, type uid.
15. In the Attribute related to the mobile number text box, type mobile.

14. In the Server Address text box, type host IP address where Stunnel is installed.
15. Disaple the LDAPS toggle.
16. In the Server Port text box, type the port address that you configured in the Stunnel configuration file. In our example, we specified port 1389.

17. Click Save.
18. To verify that your external identity is configured correctly and AuthPoint can communicate with Google Workspace, next to your external identity, click and select Check Connection.

Sync Your Users to AuthPoint

1. Next to your external identity, click and select Group Sync.
   The Group Sync page appears.
2. Click Add New Group to Sync.
   The Add Group Sync window appears.
3. From the Select LDAP Groups to Sync Users From drop-down list, select the Google Workspace groups you want to sync users from. You can select multiple groups.
4. From the Select an AuthPoint Group to Add Users To drop-down list, select the AuthPoint group to add the users to. Synced users must be added to at least one AuthPoint group.

   For each group sync, all users are added to the same AuthPoint group. To add users to multiple AuthPoint groups you must create a group sync for each AuthPoint group you want to add the users to. To add users to separate AuthPoint groups, you must create a separate group sync for each LDAP group.

5. Click Save.
6. Click Back.
   You return to the External Identities page.
7. Next to your external identity, click and select Advanced Query.
   The Advanced Query page appears.
8. Click Add Advanced Query.
9. In the Name text box, type descriptive name for this query.
10. From Group drop-down list, select the AuthPoint group to add the users to.
11. In the Advanced Query text box, type uid=*.
12. Click Add.
13. Click Back.
    You return to the External Identities page.
14. Next to your external identity, click and select Start Synchronization.