apps – Page 2 – John McLear

Primary School Google Apps – User accounts and domains

Posted on November 24, 2009July 11, 2011 by primaryt

Deciding how your user accounts will be set up

You have 3 options:

1. You can manually create each user account, this can be very time consuming but may be suitable if you are only providing teachers with accounts.

AND/OR

2. You can use a CSV export from your school Management information system (IE SIMS, CMIS, Integris, Scholarpack). With this method you annually update your user accounts with just a few clicks.

3. Our recommendation is that you use a school single sign on solution such as Primary Logon or any Shibboleth service tied to the UK Federation. Your LA may already be providing you with a Single Sign On solution so ask them first, if they aren’t then just register for Primary Logon. Single Sign on from Primary Logon automatically updates pupil and teacher accounts daily from your school MIS.

Deciding on a domain

A domain is your address on the internet. Schools frequently purchase theirschoolname.com IE wilsdenprimary.com. A new managed domain will cost £50 or so a year from Primary Technology or you can use your current existing domain which may be a .*Gfl.ac.uk or .sch.uk. UK schools probably don’t need to buy a new domain! You can also buy a domain for £10 or so per year from Godaddy but you will have to manage the DNS settings yourself. You need to have a domain.

I have decided to ask Primary Technology to configure my Google Apps for me.

Buy a new domain from Godaddy and make DNS changes myself à http://godaddy.com

Buy a new managed domain (£50) à http://primaryt.co.uk/contact.html

I don’t know my control panel Login credentials, please help me! à

I am going to contact my DNS provider and ask them to make the changes à

I have bought a new domain from an ISP and I am going to make the changes myself à

Primary School Google Apps Education Edition Preparation

Posted on November 24, 2009May 23, 2010 by primaryt

Deciding which Google Apps you will use

We recommend schools do not use Google Mail for Email but use Primary Email instead. This is for child protection and educational reasons. If you decide to use Shibboleth (UK Federation login) then you can use single sign on to log onto both services seamlessly.

Your App options are Docs, Mail, Calendar, Sites and Chat. For more information each of these apps please visit http://google.com/a/

Decide if you will do all the work or ask someone to do it for you

1. Pay someone to do this for you. Contact Primary Technology using the contact details on http://primaryt.co.uk/contact.html requesting assistance setting up Google Apps. You are done reading if you have chosen this option.

OR
2. Handle the process yourself but ask your DNS provider or web hosting provider to make the relevant DNS changes. There is usually not a charge involved with this but it can be a bit tricky.

OR
3. Gain access to your DNS control panel and do all of the procedure yourself. Warning: This is quite technically challenging. There is no charge for this but it takes a few hours if it’s the first time you have done it.

If you chose option 2 or 3 then continue to deciding on your user accounts and domains. à

Google Apps in a Primary School – Getting Started guide

Posted on November 24, 2009July 11, 2011 by primaryt

Considerations

What is Google Apps?

Google Apps is a Google provided alternative to a very popular Word processing and spreadsheet editing application frequently used in Primary Schools. Google Apps also includes Google Sites (Individual sites & wikis) Gmail, Google Calendars and Google Talk. Google Apps is free for schools. More information on Google Apps can be found at http://google.com/apps/

Is Google Apps right for your primary school?

Google Apps Education edition requires internet connectivity to function. If your school has unreliable internet then Google Apps may not be for you. If you allow pupils to take devices home or they have computers at home then Google Apps is probably for you as you can access the same files from anywhere with an internet connection. Truthfully speaking a lot of schools that move from Microsoft products to Google Apps do it when they review their licensing cost or are due a large upgrade. Microsoft Office costs £32 per machine for an educational VLK license, as more devices go into schools this cost is increasing and pupils are encouraged to continue learning outside of the school; can your school and your pupil’s parents afford this cost?

The 3 main benefits of Google Apps.

1. Stability and remote storage – work is saved on the internet.

2. Collaboration – Pupils and teachers can easily share work.

3. Accessibility – Work can be accessed from home or school.

Education Edition Vs Standard Edition.

http://sites.google.com/site/colettecassinelli/apps – This website shows the Pros and Cons Google Apps Education Edition Vs a standard Google account. Google Standard Edition requires for the child to be 13+ so it is not really possible to use standard edition without extra considerations. One big pro the site doesn’t mention is that with Google Apps Education edition you can use single sign on in the form of shibboleth. This removes the maintenance of creating “per pupil accounts” and also Shibboleth handles what user information is passed making the data protection much easier to manage. I have only documented the Education Edition sign up for the above reasons and this is our recommended solution.

How long will it take for me to configure?

The maximum time from start to finish is 1 week, this is due to Google approving the establishment’s entitlement to the service. If you decide to do all of the configuration work yourself it will take about 2/4 hours depending on your technical understanding and ability and access to a DNS control panel for your domain. You may chose to get your schools parents to sign an acceptable use policy, there is an example Agreement available for UK schools here à http://primaryschoolteaching.co.uk/pg/pages/view/8763/

Google Apps is right for me, Continue to the preparation of a Primary School Google Apps Education Edition à

Example Google Apps Education Edition Acceptable Usage Policy (UK)

Posted on November 23, 2009July 11, 2011 by primaryt

I wanted to make sure schools had an Acceptable Usage Poilcy if they chose to use Google Apps so I put one online.

I have modified this AUP written for the USA for use in the UK.

Here is the link to the UK version – Example Google Apps Education Edition Acceptable Usage Policy (UK)

Shibboleth IDP configuration for multiple organizations & Google apps

Posted on November 21, 2009October 30, 2010 by primaryt

So you want to configure your IDP to allow logins from multiple organizations google apps? IE you want SchoolA to sign into http://docs.SchoolA.com and SchoolB to sign into http://docs.SchoolB.com.

The documentation on googles site isn’t very clear so here are some step by step instructions.

Before you even make a start, backup ALL of your IDP configuration files.

PreReqs:

Working IDP
Google Apps Educational Account
CNAME records set for docs.SchoolA.com and docs.SchoolB.com

Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.

Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.

It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.

Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.

1. Log into your google apps admin account at http://google.com/a/SchoolA.com

2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuer

You are done in Google Apps. Congrats.

3. Ssh into your IDP

4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..

5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read

<EntityDescriptor entityID="google.com/a/schoola.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoola.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

6. Copy google-metadata.xml to google-metadata2.xml

7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read

<EntityDescriptor entityID="google.com/a/schoolb.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoolb.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

8. Edit /etc/shibboleth/relying-party.xml

9. Smile

10. Make me a cup of tea

11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…

<RelyingParty id="google.com/a/schoola.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<RelyingParty id="google.com/a/schoolb.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

12. Search for Google.com again – look for the MetadataProvider section

13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:

<MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" maintainExpiredMetadata="true" />
<MetadataProvider id="GoogleMD2" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata2.xml" maintainExpiredMetadata="true" />

Congrats, you are done in relying-party.xml!

14. Edit /etc/shibboleth/attribute-filter.xml

15. Search for google.com

16. Edit the value to read “google.com/a/schoola.com”

17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.

It should read:

<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoola.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoolb.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.