How to Manage Certificates on G-Suite

Sam Metzler Education

How to Manage Certificates on G-Suite

Many organizations with a Google Apps network use credential-based authentication for network access. While it is pretty straightforward, authenticating with passwords is incredibly risky nowadays.

An overwhelming majority of cyber attacks were able to infiltrate the network through weak or stolen passwords. The problem is that passwords rely on the human element, and we humans can be easily tricked into giving away our passwords. To make matters worse, there aren’t any native solutions for G-Suite to deploy 802.1x, meaning Google Apps admins have to use less secure methods of authentication.

Fortunately, certificates offer an easy way for network admins to migrate efficiently to the cloud, easily deploy 802.1x, and safely grant network access to end users. Certificates can eliminate over-the-air credential theft because they’re nearly impossible to decrypt. Even if someone outside the network were to get their hands on a certificate, it would take them years to crack. Certificates are configured for authentication with EAP-TLS, the most secure authentication protocol.

Network visibility is also a breeze with certificates because admins can map user attributes onto certificates so the device is easier to track on the network. Admins can learn exactly who is on the network, what they’re doing, and for how long.

How to Deploy Certificates in G-Suite

Many organizations have avoided deploying certificates because it seems too complicated to get a certificate onto every network device. That’s actually not the case if admins use onboarding software for BYODs and Gateway APIs for managed devices. Both of these systems allow admins to automate device configuration and certificate enrollment. Manually configuring each device for network access is a thing of the past.

A Public Key Infrastructure (PKI) is required to deploy certificates. Fortunately, SecureW2 offers a turn-key PKI solution that requires no forklift upgrades. Setup can be completed in a matter of hours and doesn’t require certificate experts to configure.

SecureW2 also has an in-depth guide on how to deploy EAP-TLS certificates for Managed Chromebooks.

Generating Certificates for G-Suite Users with SecureW2

Below is a brief overview detailing how G-Suite customers can generate and deploy certificates. We’ll be using SecureW2’s Managed PKI services for our documentation. You will need an active SecureW2 account and Cloud Connector subscription to complete the process.

Feature Image

Use SecureW2’s Getting Started Wizard to integrate G-Suite. Our PKI services are completely turnkey. The Getting Started Wizards provides G-Suite admins with everything they need and setup can be done in less than an hour.

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of the end user and device. Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to the G-Suite user database, verify user credentials, and issue certificates.

  1. Log in to your SecureW2 Management Portal.
  2. Navigate to Identity Management > Identity Provider.
  3. Click Add Identity Provider. The following screen appears.
  4. Enter Name and Description and select SAML from the Type drop-down list.
  5. Click Save.

Create a SAML Application in Google

Your SAML application allows a user to enter their Google credentials in SecureW2’s software, which are then passed to your IDP for verification. Your IDP verifies the user’s identity and then sends attributes to your SAML application, which then passes the attributes to SecureW2 to configure devices for secure network access and enroll for certificates.

  1. Log in to your Google Admin Console.
  2. From the menu on the left, click Apps.
  3. In the Applications screen, click SAML apps.
  4. Click the yellow circle on the bottom-right side of the screen. When you hover your mouse over the circle, it shows Enable SSO for a SAML Application.
  5. Click SETUP MY OWN CUSTOM APP. The following screen appears.
  6. Under Option 2, click the DOWNLOAD button against the IDP metadata and save the metadata file (.XML) on your computer. You need to import this metadata file to SecureW2 Management Portal.
  7. In your SecureW2 Management Portal, navigate to Identity Management > Identity Providers.
  8. Click on Edit against the SAML application that you created earlier. The following screen appears.
  9. Click on the Configuration tab. The following screen appears.
  10. Under Identity Provider (IDP) Info, click the Choose File button against Metadata and select the metadata (.XML) file that you downloaded from Google Apps earlier.
  11. Click Upload and then click Update.
  12. Return to your Google SAML App setup and on the Basic information for your Custom App page, enter the Application Name and Description. Then, click Next.
  13. On the Service Provider Details screen, enter the ACS URL and the Entity ID.
  14. Select the Signed Response option.
  15. Click Next.
  16. Click Finish on the Attribute Mapping screen.

NOTE: To get the ACS URL and the Entity ID, login to you SecureW2 Management Portal. Navigate to Identity Management > Identity Providers > click Edit against your Identity Provider > Configuration. Copy the ACS URL and the Entity ID and paste them in the relevant fields on the Service Provider Details screen in Google SAML Apps.

Configure Attribute Mapping

Attribute mapping lays out the attributes that are returned by your IDP and used for granting access to users. Once your IDP identifies a user, it sends attributes to your SAML application, which then sends the attributes to SecureW2. SecureW2 encodes these attributes onto the certificate it issues. To set up SAML authentication, you need to configure attribute mapping in your Google admin console, as well as in SecureW2.

  1. In the Google Admin Page, scroll down to Attribute Mapping.
  2. Click on ADD NEW MAPPING to configure the attributes to be encoded into the certificate.

NOTE: It is likely that your directory will have a name and an email.

  1. In the Enter the application attribute field, enter name.
  2. From the Select category drop-down list, select Basic Information.
  3. From the Select user field drop-down list, select First Name.
  4. Click Save.
  5. Click Add New Mapping again.
  6. In the Enter the Application Attribute field, enter email.
  7. From the Select category drop-down list, select Basic Information.
  8. From the Select user field drop-down list, select Primary Email.
  9. Click Save.

Once Google will identify the end users, it will send their name and email to SecureW2. SecureW2 can then populate the credentials into the variables in the certificates.

  1. In your SecureW2 Management Portal, navigate to Identity Management > Identity Providers.
  2. Click on Edit against the SAML application that you created earlier. The following screen appears.
  3. Click on the Attribute Mapping tab. The following screen appears.
  4. Click Add.
  5. In the Local Attribute field, enter email as the name of the variable.
  6. From the Remote Attribute drop-down list, select the USER_DEFINED. Enter email in the field that appears next to Remote Attribute field when you select USER_DEFINED.
  7. Click Next.
  8. Click Add.
  9. In the Local Attribute field, enter displayName as the name of the variable.
  10. From the Remote Attribute drop-down list, select USER_DEFINED. Enter the name in the field that appears next to the Remote Attribute field when you select USER_DEFINED.
  11. Click Next.
  12. Click Add.
  13. In the Local Attribute field, enter upn as the name of the variable.

NOTE: upn stands for User Principal Name. It is the first thing that is authenticated against in the RADIUS server. This is useful when the user connects to your network and wants to use eduroam because then it can find the university name in the email address.

  1. From the Remote Attribute drop-down list, select USER_DEFINED. Enter email in the field that appears next to Remote Attribute field when you select USER_DEFINED.
  2. Click Update.

The attributes are now configured and you can view them under certificates.

Managing Certificates on G-Suite

Below, we’ve listed a few features of certificate-based networks and how they simplify network management.

Certificate Templates for G-Suite

Certificate templates are designed for IT admins to set the guidelines for network access. After configuring group policies, admins can customize specific certificate templates to issue to each network group. Once this is set up, when a network device requests a certificate, the CA is able to determine what type of certificate the device is allowed to have based on the end user’s permissions.

Attribute mapping is incredibly helpful for creating custom certificates and network policies because it allows admins to map user details to a certificate. That helps the RADIUS server better determine what a device is authorized to access when signing on to the network.

Certificate templates are also used to configure access for VPNs, Wi-Fi, and web apps. The ability to configure VPN access is particularly relevant since millions of users are working remotely during the current COVID-19 pandemic.

G-Suite CRL

A certificate revocation list (CRL) is a security measure that allows RADIUS servers to view all the certificates revoked by the CA. The RADIUS server periodically downloads the list and checks it every time a device requests access. If a device is lost or stolen and still equipped with a certificate, revoking the certificate and placing it on the CRL will ensure that specific device will not be allowed network access.

There are two types of CRLs and the difference lies in how often they update. The Base CRL updates weekly and the Delta CRL daily. However, the Delta CRL can be configured to update every 15 minutes to enhance security, a feature possible with SecureW2.

Managed Device Gateways

IT professionals know how monotonous it is to manually configure every device for network access – and how risky it is to leave manual configuration up to the end user. Luckily, integrating powerful gateway APIs onto the network makes it easy for admins to send out configuration payloads to every managed device.

For G-Suite customers, SecureW2 allows admins to build a gateway they can then use to push out configuration policies. Once the configuration policy makes it to the device, the device will then automatically request a certificate. This removes the end user entirely from the process and is much faster than manually configuring each device.

Identity Lookup on G-Suite

Many IT admins have issues identifying who is on the network, especially admins with MDMs that won’t allow emails to be input into RFC on certificate templates. That’s why SecureW2 offers industry-unique Identity Lookup integration to quickly find certificates and identify the user device.

Integrating G-Suite with Cloud RADIUS and SecureW2’s Onboarding Software

Integrating SecureW2’s Cloud RADIUS with G-Suite is simple because Cloud RADIUS already comes with a Managed PKI and EAP-TLS authentication.

SecureW2’s onboarding software simplifies the onboarding process for both BYODs and managed devices. With the JoinNow Suite, BYOD end users can sign on to the network in just a few clicks. Our Gateway APIs can be configured to provision every device with a certificate, completely eliminating the need for manual configuration.

Deploying certificates to your network increases security and relieves the IT department from time spent configuring each device manually. Integrating Cloud RADIUS and SecureW2’s onboarding software streamlines the device authentication process and ensures all devices are equipped with a certificate and easily visible on the network. All of this comes at an affordable cost, click here for pricing.


Learn About This Author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a Copywriter for SecureW2's marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas and his previous experience involved mortgage marketing and obituary writing.