How do I enable access to SaaS applications for my employees?


[MUSIC PLAYING] RAVI KIRAN KUMAR: Welcome to the
Google Cloud Security Showcase, a special web series where
we will focus on security use cases that customers can
solve with G Suite and Cloud Identity. My name is Ravi, and
I’m a product manager at Google Cloud. Today, we’ll be walking through
one of the top questions we get from our customers. How do I enable access to SaaS
applications for my employees? When you look at SaaS-based
applications in the market, you will see these applications
supporting a variety of authentication protocols. For example, you may find
some SaaS-based applications that support HTTP-based
authentication and single-sign-on protocols
like SAML or OpenID connect. On the other hand, you
will see another set of SaaS-based applications that
support protocols like HeldaP. In this demo, we’re
going to see how to configure single
sign-on using SAML-based applications and
also HeldaP-based applications. Let’s start with
SAML-based applications. This is the familiar
G Suite Admin Console. Now you start Application
Management by clicking on Apps. And then click on SAML Apps. Let’s start onboarding
SAML-based applications by clicking on this
big yellow button. You’ll be able to see a
preintegrated applications list here. If you don’t find
your applications in this Preintegrated
Applications Catalog, you can click on SETUP
MY OWN CUSTOM APP. For now, let’s see how you
can configure single sign-on with an application
called Asana. I’ll start typing in,
I’m selecting Asana. So in this first
screen, you need to copy this information
so that you can configure Asana to point to Google. So start copying
SSO URL, Entity ID, and also download
the certificate. Asana requires you
to type in the text version of the certificate. So I’m going to open this
certificate in a text editor and copy the contents. I’m clicking on Next. It shows the application name. Next, here’s the information
that’s preconfigured for you. Since Asana is part of
Preconfigured Applications Catalog, we’ve preconfigured
the ACS URL and also other configuration that’s
required for single sign-on. I’m clicking on Finish. Now your application
is already set up. And Google opening
Application Details and clicking on Edit Service
to enable this service. If your application
should be available for your entire company,
click on ON for everyone. You can also configure
your application to be available only for
a subset of your employees here by selecting
one or more OUs and then enabling
the application. I’m clicking on Save
here and that’s it. We’re done onboarding this
application in Google. So now let’s open
Asana Control Panel. So here’s where
you will configure Asana to point to Google from
a single sign-on perspective. So I’m clicking
on my profile icon here and click on
organizational settings. Click on Administration. And currently,
Asana is configured to use Asana’s
account and password. I’m switching to SAML. And if you look at
these two fields, the sign-in page
URL is the SSO URL that you have seen during the
onboarding of Asana application within Google. And then also, this is the text
version of the certificate. I’m clicking on Save. Now, from an
end-user perspective, end-users can access this
application in two ways. The first option is you
can go to any G Suite application like
Calendar, Gmail, Drive, and click on the App
Launcher icon here. I’m scrolling down. And you’ll be able to
see Asana icon here. Another option is your users
can open the full-page version of your application
hub by typing in apps.google.com/user/hub,
where you will be able to see the full-page version
of your application hub. Here is the list of G Suite
applications you have. And when you scroll down, you’ll
be able to see Asana here. All right. So now let’s see how
you can configure an LDAP-based application. Let’s go back to the Home
page of Admit Console. And again, LDAP-based
applications, you’ll find it in
Applications Hub here. And then I’m clicking on LDAP. This is a list of
LDAP-based applications that I have already
onboarded in my system. In order to onboard a
new LDAP-based system, I’m clicking on Add Client. Type in the LDAP-based
application name, and then click on Continue. In this screen, you can
set the access permissions for your LDAP client. So if your LDAP client is
used by your entire domain, you’ll be able to click on this. However, if your application is
used only by a subset of users, and if you want only those
users to authenticate through this
application, you can click on selected
organizational units, and then you can select one or
more organizational units here. In the same manner,
you can control how much of your directory is
exposed to this LDAP client for user lookups. Again, so you can expose
your entire directory or a subset of your directory. In a similar manner, you can
say whether your groups are exposed to LDAP clients or not. Now I’m clicking
on Add LDAP Client to onboard this application. Within a few seconds, we
will onboard this application within Google, and we also
have a digital certificate that you can use to upload this
in PaperCut in my LDAP Client. So I’m downloading
the certificate. I’m clicking on Continue
to Client Details. I’m going to enable this service
for everyone in my domain. And now let’s see part
two of this configuration. That is, going to
PaperCut Admin Console and configuring it
to point to Google. So by clicking on
Options, User/Groups, you’ll be able to see the
identity provider configuration details here. So here, there are a
number of directories that you can choose. One of these options is
Google Cloud Directory. If you’re configuring an LDAP
application that does not show Google Cloud
Directory, you can select Open LDAP or Active Directory. Now let’s type in– I’m typing in the
domain name here. And then you can
click on Choose File. And then choose the
digital certificate that I just downloaded. I’ve already uploaded
a certificate for you. So we chose the certificate
expiration date. And now I’m scrolling down and
clicking on Synchronize Now. So now, the PaperCut is
authenticating itself with Google using the
digital certificate that we have uploaded. And it was able to read a
bunch of users and also groups. So from an end-user
perspective, they can walk up to any multifunction
printer, and then they can release the print jobs
by typing in their Google credentials. Because PaperCut
is designed to work with Google for
authentication, it takes those user credentials
and authenticates with Google. And then it releases the
print jobs for users. You just saw how it configured
a SaaS-based application which supports LDAP-based
protocol with G Suite. But G Suite supports any
LDAP-based application. It doesn’t have to be a
SaaS-based application. So your LDAP-based
application can reside on-premise or in your
public cloud or private cloud. And also, it works with any
of your IT infrastructure servers like VPN servers,
network [INAUDIBLE] servers, or any other application
or service that supports LDAP-based authentication. Thank you for tuning in. Please visit
cloud.google.com/security for more content from
Google Cloud experts. [MUSIC PLAYING]

Leave a Reply

Your email address will not be published. Required fields are marked *