Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Integrate Google Workspace as an Identity Provider

Juniper Mist Access Assurance allows you to integrate with Google Workspace as Identity Provider (IdP) to leverage secure Lightweight Directory Access Protocol over SSL (LDAPS) connector for the following use cases:

  • For certificate-based (EAP-TLS or EAP-TTLS) authorization:
    • Retrieves user group membership information to support authentication policies based on this user identity
    • Gets the status—active or suspended—of an user account

  • EAP-TTLS with PAP

    • Checks the username and password for authentication with Google’s Identity Provider

Configuration on Google Workspace

The following procedure shows you how to configure Google Workspace as an identity provider (IdP) with Juniper Mist.

  1. Log in to your Google Workspace portal by using your Google administrator credentials.

    The Google Admin dashboard appears.

  2. Create an LDAP client.
    1. From the Google Admin console, on the left-navigation bar, go to Apps > LDAP and click Add Client.
    2. Provide an LDAP client name and an optional Description and click Continue.

      The Access permissions page is displayed after adding the LDAP client.

  3. Configure Access Permission for verifying user credentials.

    The following options are available:

    • Verify user credentials—Allows user credential authentication using EAP-TTLS/PAP. This setting specifies which organizational groups the LDAP client can access to verify the user’s credentials.
    • Read user Information—Allows you to read basic user information. This setting specifies which organizational units and groups the LDAP client can access to retrieve additional user information.
    1. Select Entire domain for both the options if no specific organization is required.
    2. Scroll down to Read group information. This setting specifies whether the LDAP client can read group details and check a user’s group memberships.

      After you finish configuring access permissions and added LDAP client, the certificate is generated automatically on the same page.

  4. Download the generated LDAPS client certificate.
    1. Click Download certificate and save the downloaded certificate in a secure place. You'll need this certificate when you set up an IdP on the Juniper Mist portal.
    2. Click Continue to Client Details.

      The Settings for <LDAP client name> page appears.

    3. Expand the Authentication section.
    4. Under Access Credentials, click Generate New Credentials.

      You can view the username and password on the Access credentials page.

      Copy and save the username and password. You need these details for the LDAPS client configuration on the Juniper Mist cloud portal.

  5. Enable the LDAP client service by changing the service status to On for the LDAP client. This step enables you to set up a client with the Secure LDAP service.
    1. From the Google Admin console, go to Apps > LDAP. Select your client and click Service Status.

      The service status, displayed at the top right of the page, is initially set as OFF.

      Select On for everyone to turn on the service. Allow some time for the changes to apply on the Google side.

Configuration on Juniper Mist Dashboard

  1. On the Juniper Mist portal, from the left menu select Organization > Access > Identity Providers.

    The Identity Providers page appears, displaying a list of configured IdPs (if any)

    Figure 1: Identity Providers Page Identity Providers Page
  2. Click Add IDP to add a new IdP.
  3. On the New Identity Provider page, enter the required information to integrate with Google Workspace.
    Figure 2: Update Identity Provider Details Update Identity Provider Details

    Now configure the LDAPS connector to integrate with the Google Workspace LDAP endpoint.

    • Name—Enter an IdP name. (In this example, enter Google Workspace.)
    • IDP Type—Select LDAPS.
    • LDAP Type—Select Custom.
    • Group Filter—Select memberOf. This option is required to obtain group memberships from Group attribute.
    • Member Filter—Select memberOf.
    • User Filter—Enter (mail=%s).
    • Server Hosts—Enter ldap.google.com.
    • Domain Names—Enter your Google Workspace domain name. For example: abc.com.
    • Bind DN—Use the username provided by Google in the previous step.
    • Bind Password—Enter the password for the above username.
    • Base DN—Configure your base dn matching your Google Workspace domain. For example, if your domain is abc.com, then your base DN is dc=abc,dc=com.
  4. In the CA Certificates section, click Add Certificate and paste the following two certificates:
    Figure 3: Add CA Certificate Add CA Certificate
  5. Under Client Certificate, add a client certificate you downloaded from Google. Place the file ending with .key under Private Key, and the file ending with .crt under Signed Certificate as shown in the following sample:
    Figure 4: Add Client Certificate Add Client Certificate

    Click Save.

On the Juniper Mist portal, go to Monitoring > Insights > Client Events.

When a user authenticates using EAP-TTLS , you can see the NAC IDP Authentication Success and NAC IDP Group Lookup Success events that fetch user group membership information.

When a user authenticates using EAP-TTS with Google Workspace, you can see the event NAC IDP Group Lookup Success that fetches user group membership information.
Figure 5: IDP Group Lookup Success Authentication Event IDP Group Lookup Success Authentication Event

In case of EAP-TTLS authentication, you can see the NAC IDP Authentication Success event. This event indicates that Google Workspace has validated user credentials.

Figure 6: IDP Authentication Success Event IDP Authentication Success Event

You may leverage IDP Roles from Google Workspace in your Auth policy rules to perform network segmentation based on user roles.

About EAP-TTLS and Azure AD using ROPC

Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) leverages LDAPS OAuth flow with Azure AD to perform user authentication. This implies the use of legacy authentication, which involves the use of a username and password without MFA. There are several factors to consider when employing this method:

  • Configure client devices with the correct Wi-Fi profile, either from GPO or MDM. Providing only username and password at the login prompt does not work for some operating systems.
  • Users must use Google Email ID (username@domain) username format for entering the username.
  • Configure clients to trust server certificate. See Use Digital Certificates.

See Also