Delegated administration for Google Workspace - teacher updates student password

Teacher updates students Google password, using Delegated administration.

PreviousDelegated administration for Google Workspace - teacher updates student guardians NextProtect Google Workspace with eID MFA

Last updated 8 months ago

Delegated administration for Google Workspace - teacher updates student password

Teacher updates students Google password, using Delegated administration.

Scenario

In this use case there is one scenario:

Delegated administration for Google Workspace. In this scenario, a teacher will login to Fortified ID Forms using Google Workspace as the IdP. Once logged in, a list of students (which the teacher is responsible for) will be listed. The teacher will click on one of the students and is then able to update the student password. When the form is committed, the new values are set on the student google account. Forms will act as a SAML SP against Google to perform authentication (for the teacher). Forms will use Google Directory API to perform read and update operations against the Google User Directory API (Google Admin SDK). A configurable user property (in the example department) is used to link the teacher with the correct students.

This scenario could easily be copied and modified to fulfill other delegated administration tasks against Google:

Updating other user attributes
Creating new users
Updating users
Deleting users
List users

Please contact info@fortifiedid.se for assistance on tweaking the use case.

Prerequisite

FortifiedID Forms current version installed
Google Workspace administration rights.
Host (DNS) name of the Forms service (external access)
Google user attributes
- The attribute name that connects the teacher with the students to manage
Google group name containing teachers

Configuration

Download and add configuration

Remember that this use case does not describe installation of the products. Products are expected to be installed in advance.

Download ZIP containing configuration for Forms
Add Forms configuration to your environment.
1. Rename the existing customer folder to customer_ORG. Add the customer folder to your \..\fortifiedid\forms\ folder.

Update the Google Workspace configuration for Directory API

Update the configuration to map your environment

The downloaded folders contains all information needed. For example, a test certificate and metadata files are included. However, some data needs to be changed to map your environment. Also the http ports might need to be changed if they are not available in your environment.

Forms

In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.

Open the file customer/config/globals.json. Change according to the instructions below.

file_paths -> base_dir*
1. base_dir* is the folders where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
  1. For Windows the value should be: "base_dir": "../customer", "base_dir_html": "../customer"
  2. For non-Windows operating systems, the value should be: "base_dir": ".", "base_dir_html": "."
```
"file_paths": {
        "base_dir": ".",
        "base_dir_html": "."
```
forms_paths -> base_dir
1. base_dir is the folder where flows data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
  1. For Windows the value should be: "base_dir": "../customer"
  2. For non-Windows operating systems, the value should be: "base_dir": "."
```
"forms_paths": {
        "base_dir": "."
```
saml_metadata_template -> location Change the host value to your Forms DNS name entry.
```
"location": "https://80a1-193-181-250-5.ngrok-free.app/forms/authn/login"
```

keystore - saml The keystore used to sign SAML authentication requests. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.

        	"saml": {
                    "alias": "1",
         	    "key_password": "password",
         	    "password": "password",
       		    "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12"
            }

http - http_port Set the listening port for Forms. Adjust the front end proxy to pass and reverse traffic to that port.

Save the globals.json file.

Start the Forms service and verify the start by looking through the server.log file.

Update the Google Workspace configuration - act as a SAML IdP

Prepare values

Open the file customer/config/resources_internal/saml_sp_metadata/sp_forms.xml in a text editor
Copy this value (this will be added to Google later).
- AssertionConsumerService->Location. (URL)

Setup Google

Testing the use case

As a delegated admin (teacher), browse to https://<your_forms_dns_name>/forms/google_pwdreset_my_users
You should be redirected to the IdP (Google)
Authenticate with your Google credentials (if already logged in, you will get SSO)
You should be redirected back to Forms
You should now be logged in to Forms.
A list of users (students) should be listed.
Click on one of the users
User info should be displayed.
Set the password for ths user. Update user.
The Google student account is now updated with a new password. The student should now be able to log in with the new password.

Check server.log file to find errors. Fix accordingly.