Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps
-
Hi,
first of all I'd like to say thanks in advance to those who will try to help me.
What I want to accomplish is a Captive Portal PFSense working with Google Suite (Enterprise and Education) as Identity Provider and Single Sign On.
Actually, my PFSense Captive Portal works fine with the new Google LDAP implementation, my "Google Suite User" login correctly with his account email and password. Then pfsense enable my user to go online, but my user needs to reauthenticate in all Google Suite apps (gmail / gdrive etc and our custom web app).
I think there are 3 ways to achieve that result:- Solution A: somehow integrate google sign in within the captive portal
- Solution B: use a whitelisted preauthentication page hosted at our custom web app, where I can sign in with my google account, then go back to the captive portal with some sort of post datas from my web app, that have to be read by pfsense captive portal to trigger google LDAP
Solution C: use an external authentication server, where I can implement google sign-in (or google saml).
Solution C is not usable in my case, because I need users to be enabled and disabled via Google Suite Administration (only users with some groups memberships are enabled to use navigation).
to use Solution A or B, I need some tips about pfsense code: are there any guide lines to developers who needs to customize login functions or similar? Because I've seen the documentation about custom captive portal, but it discuss only the frontend page, not the real authentication script. Which files implements google ldap authentication ?
Anyone has any suggestion?
Thank you
-
@micdeep i would choose solution B
gsuite seems to supports LDAP authentication
see https://support.google.com/a/answer/9048516?hl=en
or maybe https://github.com/hlavki/g-suite-identity-sync ?(pfSense support LDAP logins for captive portal out of the box )
-
sorry, i realized that I didn't fully replied you
you can configure ldap authentication from the user manager (check the documentation for more info : https://docs.netgate.com/pfsense/en/latest/usermanager/user-authentication-servers.html )
once you added an ldap server, you will be able to use it in the captive portal, as authentication backend
-
@free4 said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps:
@micdeep i would choose solution B
gsuite seems to supports LDAP authenticationsee https://support.google.com/a/answer/9048516?hl=en
or maybe https://github.com/hlavki/g-suite-identity-sync ?(pfSense support LDAP logins for captive portal out of the box )
Any tips about captive portal engine modification? https://github.com/hlavki/g-suite-identity-sync seems to be a good suggestion, thanks
@free4 said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps:
you can configure ldap authentication from the user manager (check the documentation for more info : https://docs.netgate.com/pfsense/en/latest/usermanager/user-authentication-servers.html )
once you added an ldap server, you will be able to use it in the captive portal, as authentication backend
Maybe I didn't explained myself well (sorry, English is not my primary language), I already enabled LDAP on my pfsense, and it works quite well, but when a user do login, but this authentication doesn't enable him on Google Suite Apps, he needs to make another login directly on a google App.
@micdeep said in Pfsense Captive Portal and Google LDAP Sign In for single sign on with other gapps:
Actually, my PFSense Captive Portal works fine with the new Google LDAP implementation, my "Google Suite User" login correctly with his account email and password. Then pfsense enable my user to go online, but my user needs to reauthenticate in all Google Suite apps (gmail / gdrive etc and our custom web app).
Thank you for your help