Google Workspace LDAP Synchronization with AuthPoint

Deployment Overview

This document describes how to sync users from Google Workspace to AuthPoint. To sync users from Google Workspace, you must add an LDAP external identity in AuthPoint and create one or more queries.

In AuthPoint, LDAP external identities represent external user databases. They connect to user databases to get user account information and validate passwords. The queries you add to an external identity specify which users to sync from. They pull user information and create AuthPoint user accounts for the users that are found.

Topology

sync topology

Before You Begin

Before you begin these procedures, make sure that:

  • End-users can log in to Google Workspace
  • A token is assigned to a user in AuthPoint

Configure Google Workspace

  1. Log in to Google Workspace as an administrator.
  2. From the navigation menu, select Apps > LDAP.

Screenshot of the Google Workspace navigation menu.

  1. Click Add Client.

Screenshot of the LDAP page in Google Workspace.

  1. Enter a name and description for this LDAP client. In our example, we name the LDAP client AuthPoint.
  2. Click Continue.

Screenshot of google workspace picture

  1. Specify the access permissions for the LDAP client. In our example, we select Entire domain.

Screenshot of the Add LDAP Client Access Permissions page.

  1. Click Add LDAP Client.

Screenshot of google workspace picture

  1. Click Download certificate. You need this certificate to complete the steps in the next section.
  2. Click Continue to Client Details.

Screenshot of google workspace picture

  1. Click Access credentials.

Screenshot of the LDAP client settings.

  1. Click Generate New Credentials.
    The Access credentials screen appears with the generated credentials.

Screenshot of google workspace picture

  1. Record the generated credentials (user name and password).
  2. Click Close.

Screenshot of google workspace picture

  1. Navigate back to the LDAP client settings page.
  2. Click Service Status.

Screenshot of google workspace picture

  1. Select ON for everyone.
  2. Click Save.

Screenshot of google workspace picture

  1. Verify that the status of your LDAP client is on.

Screenshot of google workspace picture

Configure Stunnel

  1. Install stunnel. For example, on Ubuntu you would type this command:
    $ sudo apt-get install stunnel4
  2. Copy the Google Workspace certificate that you downloaded in the previous section to the stunnel folder (/etc/stunnel).
  3. Create a configuration file /etc/stunnel/stunnel.conf with these contents (ldap-client.crt is the certificate and ldap-client.key is the key):
    [ldap]

    client = yes

    accept = 1389

    connect = ldap.google.com:636

    cert = /etc/stunnel/ldap-client.crt

    key = /etc/stunnel/ldap-client.key
  4. To enable stunnel, edit /etc/default/stunnel4 and set ENABLED=1.
  5. Restart stunnel with this command:
    $ sudo /etc/init.d/stunnel4 restart

Screenshot of stunnel picture

If stunnel does not run, use this command to reload the stunnel configure file: $ sudo stunnel stunnel.conf

Configure AuthPoint

Before you can sync your users to AuthPoint, you must:

Add a Group in AuthPoint

You must have at least one user group in AuthPoint to configure MFA. If you already have a group, you do not have to add another group.

To add a group to AuthPoint:

  1. From the navigation menu, select Groups.
  2. Click Add Group.
    The New Group page appears.

Screenshot that shows the Groups page.

  1. In the Name text box, type a descriptive name for the group.
  2. (Optional) In the Description text box, type a description of the group.

Screen shot of the New Group page.

  1. Click Save.
    Your group is listed on the Groups page.

Screenshot of the Save button on the New Group page.

Add an Authentication Policy to AuthPoint

Authentication policies specify which resources users can authenticate to and which authentication methods they can use (Push, QR code, and OTP).

We recommend that you configure authentication policies for your resources before you sync users form your external database to AuthPoint. If you already have authentication policies, you do not have to create a new authentication policy. You can add this resource to your existing authentication policies.

Users that do not have an authentication policy for a specific resource cannot authenticate to log in to that resource.

To configure an authentication policy:

  1. From the navigation menu, select Authentication Policies.
  2. Click Add Policy.

Screenshot of the Add Policy button on the Authentication Policies page.

  1. Type a name for this policy.
  2. From the Select the authentication options drop-down list, select Authentication options and select which authentication options users can choose from when they authenticate.

    For SAML resources, if you select more than one authentication option, users must select one of the available options when they authenticate. For example, if you select OTP and Push, users can choose to type their OTP or approve a push to authenticate. You cannot require that they do both.

  1. Select which groups this policy applies to. You can select more than one group. To configure this policy to apply to all groups, select All Groups.
  2. Select which resources this policy applies to. To configure this policy to apply to all resources, select All Resources.

Screenshot of the Add Policy page with the groups and resources selected

  1. (Optional) If you have configured policy objects such as a Network Location, select which policy objects apply to this policy. When you add a policy object to a policy, the policy only applies to user authentications that match the conditions of the policy objects. For example, if you add a Network Location to a policy, the policy only applies to user authentications that come from that Network Location. Users who only have a policy that includes a Network Location do not get access to the resource when they authenticate outside of that Network Location (because they do not have a policy that applies, not because authentication is denied).

    If you configure policy objects, we recommend that you create a second policy for the same groups and resources without the policy objects. The policy with the policy objects should have a higher priority.

Screenshot of the Policy Objects drop-down list.

  1. Click Save.
    Your policy is created and added to the end of the policy list.

    When you create a new policy, we recommend that you review the order of your policies. AuthPoint always adds new policies to the end of the policy list.

Screenshot of the Save button on the Add Policy page.

Configure an External Identity

The steps in this section are specific to Google Workspace. To learn how to sync users from Active Directory or other LDAP databases, see Sync Users from Active Directory or LDAP.

  1. Select External Identities.
  2. From the Type drop-down list, select LDAP. Click Add External Identity.

Screenshot of AuthPoint picture

  1. In the Name text box, type a descriptive name for the external identity.
  2. In the LDAP Search Base text box, type the domain name for your Google account. for example, if your Google email domain name is yourgoogle.com, you would type dc=yourgoogle,dc=com.
  3. Enable the toggle that says If your system account user is not in the Users CN, enable this option and type the user's DN below.
  4. In the System Account and Passphrase text boxes, type your Google Workspace access credentials.
  5. From the Synchronization Interval drop-down list, select Every 1 hour.

Screenshot of AuthPoint picture

  1. For Type, select Others.
  2. In the Domain text box, type the domain name for your Google account.
  3. In the Attribute related to the first name text box, type givenName.
  4. In the Attribute related to the last name text box, type sn.
  5. In the Attribute related to the user email text box, type mail.
  6. In the Main attribute to the LDAP user text box, type uid.
  7. In the Attribute related to the user login text box, type uid.
  8. In the Attribute related to the mobile number text box, type mobile.

Screenshot of the external identity settings.

  1. In the Server Address text box, type host IP address where Stunnel is installed.
  2. Disaple the LDAPS toggle.
  3. In the Server Port text box, type the port address that you configured in the Stunnel configuration file. In our example, we specified port 1389.

Screenshot of the external identity settings.

  1. Click Save.
  2. To verify that your external identity is configured correctly and AuthPoint can communicate with Google Workspace, next to your external identity, click and select Check Connection.

Sync Your Users to AuthPoint

  1. Next to your external identity, click and select Group Sync.
    The Group Sync page appears.
  2. Click Add New Group to Sync.
    The Add Group Sync window appears.
  3. From the Select LDAP Groups to Sync Users From drop-down list, select the Google Workspace groups you want to sync users from. You can select multiple groups.
  4. From the Select an AuthPoint Group to Add Users To drop-down list, select the AuthPoint group to add the users to. Synced users must be added to at least one AuthPoint group.

    For each group sync, all users are added to the same AuthPoint group. To add users to multiple AuthPoint groups you must create a group sync for each AuthPoint group you want to add the users to. To add users to separate AuthPoint groups, you must create a separate group sync for each LDAP group.

  5. Click Save.
  6. Click Back.
    You return to the External Identities page.
  7. Next to your external identity, click and select Advanced Query.
    The Advanced Query page appears.
  8. Click Add Advanced Query.
  9. In the Name text box, type descriptive name for this query.
  10. From Group drop-down list, select the AuthPoint group to add the users to.
  11. In the Advanced Query text box, type uid=*.
  12. Click Add.
  13. Click Back.
    You return to the External Identities page.
  14. Next to your external identity, click and select Start Synchronization.