Univention Bugzilla – Bug 44743
G Suite - Invalid email address after SAML
Last modified: 2018-04-14 14:12:39 CEST
Created attachment 8904 [details] Screenshots This is a domain with 14 enabled G Suite users. We populate OUs, users and groups from Univention to G Suite using Google Cloud Directory Sync. It is not possible to directly sync users' passwords (ldap userPassword set to e0s1S0VZfQ==). In order to use the domain password with G Suite, we install and setup the "Google Apps for Work Connector" module. The setup wizard ends without errors, however when we tried to "Enable user for Google Apps for Work" there is no "Email address and username in Google Directory". The user has the "Primary e-mail address" setup to his G Suite mail address. The SAML redirection and authentication apparently works, however G Suite returns an "Invalid email address" error. The management-console-module-googleapps.log only has: 6.06.17 17:46:50.752 DEBUG_INIT 06.06.17 17:59:12.690 MAIN ( WARN ) : Shutting down all open connections 06.06.17 18:24:14.898 DEBUG_INIT 06.06.17 18:34:16.357 MAIN ( WARN ) : Shutting down all open connections Attached a picture with all the mentioned stages. Thanks,
(In reply to Camilo Vargas from comment #0) > Created attachment 8904 [details] > Screenshots > > This is a domain with 14 enabled G Suite users. We populate OUs, users and > groups from Univention to G Suite using Google Cloud Directory Sync. It is > not possible to directly sync users' passwords (ldap userPassword set to > e0s1S0VZfQ==). The idea of using G Suite with UCS and SAML is to not expose the user passwords (or their hashes) to Google. Therefor the use of SAML. Google does not need to ever know any password. > In order to use the domain password with G Suite, we install and setup the > "Google Apps for Work Connector" module. The setup wizard ends without > errors, however when we tried to "Enable user for Google Apps for Work" > there is no "Email address and username in Google Directory". The user has > the "Primary e-mail address" setup to his G Suite mail address. The email address will be set, once the user has been created in the google directory. After enabling Google Apps for Work for a user, wait a few seconds and open the user again. There should be an email address now. All activity is logged to this logfile: /var/log/univention/listener.log Please investigate it. > The SAML redirection and authentication apparently works, however G Suite > returns an "Invalid email address" error. What email address is used? Please run this: # univention-ldapsearch -LLL univentionGoogleAppsEnabled=1 uid mailPrimaryAddress univentionGoogleAppsPrimaryEmail univentionGoogleAppsObjectID
Another problem might be, that your users were already created in G Suite before you setup our App on UCS. It is currently not possible for our listener to modify existing users that were not created by the app itself.
(In reply to Daniel Tröder from comment #1) > > This is a domain with 14 enabled G Suite users. We populate OUs, users and > > groups from Univention to G Suite using Google Cloud Directory Sync. It is > > not possible to directly sync users' passwords (ldap userPassword set to > > e0s1S0VZfQ==). > The idea of using G Suite with UCS and SAML is to not expose the user > passwords (or their hashes) to Google. Therefor the use of SAML. Google does > not need to ever know any password. Hi Daniel / Erik, This is not related with the bug, but our ideal solution would be able to share the password hashes with Google. This would have two benefits: 1. We wouldn't have to expose our UCS server to the internet in order to allow users to authenticate in G Suite and 2. authentication with G Suite and other external apps (like Trello) would keep working even if our server is down. Now, coming back to the bug, is it a way so we can start using the G Suite Connector with the exiting users? I take a look at G Suite and it is not easy way rename the accounts so UCS could create them and then migrate back all the data. As a workaround, I could setup a standard SAML authentication with Google using the "SAML identity provider" module and keep syncing users, groups, etc with "Google Cloud Directory Sync" without using the "Google Apps for Work Connector". Thanks,
(In reply to Camilo Vargas from comment #3) > (In reply to Daniel Tröder from comment #1) > > > This is a domain with 14 enabled G Suite users. We populate OUs, users and > > > groups from Univention to G Suite using Google Cloud Directory Sync. It is > > > not possible to directly sync users' passwords (ldap userPassword set to > > > e0s1S0VZfQ==). > > The idea of using G Suite with UCS and SAML is to not expose the user > > passwords (or their hashes) to Google. Therefor the use of SAML. Google does > > not need to ever know any password. > > Hi Daniel / Erik, > > This is not related with the bug, but our ideal solution would be able to > share the password hashes with Google. This would have two benefits: 1. We > wouldn't have to expose our UCS server to the internet in order to allow > users to authenticate in G Suite and 2. authentication with G Suite and > other external apps (like Trello) would keep working even if our server is > down. Even if we wanted to, we could not access the unhashed value of user passwords. So this is simply not possible. As I wrote above, you don't have to expose your UCS server to the internet for SAML to work. > Now, coming back to the bug, is it a way so we can start using the G Suite > Connector with the exiting users? I take a look at G Suite and it is not > easy way rename the accounts so UCS could create them and then migrate back > all the data. Currently that is not easily done. I created a feature request for that (→ Bug #44749), which describes the process, but there is no ETA. If you feel adventurous, you can try it manually yourself. I'm closing this bug, because there doesn't seem to be any error with the promised product features (which is syncing UCS users to gsuite and authenticating against UCS, see https://www.univention.com/2016/10/integrate-cloud-service-google-apps-for-work-in-ucs/).