John McLear – Page 139 – Founder, Inventor, Creator

Primary School Google Apps Education Edition Preparation

Posted on November 24, 2009May 23, 2010 by primaryt

Deciding which Google Apps you will use

We recommend schools do not use Google Mail for Email but use Primary Email instead. This is for child protection and educational reasons. If you decide to use Shibboleth (UK Federation login) then you can use single sign on to log onto both services seamlessly.

Your App options are Docs, Mail, Calendar, Sites and Chat. For more information each of these apps please visit http://google.com/a/

Decide if you will do all the work or ask someone to do it for you

1. Pay someone to do this for you. Contact Primary Technology using the contact details on http://primaryt.co.uk/contact.html requesting assistance setting up Google Apps. You are done reading if you have chosen this option.

OR
2. Handle the process yourself but ask your DNS provider or web hosting provider to make the relevant DNS changes. There is usually not a charge involved with this but it can be a bit tricky.

OR
3. Gain access to your DNS control panel and do all of the procedure yourself. Warning: This is quite technically challenging. There is no charge for this but it takes a few hours if it’s the first time you have done it.

If you chose option 2 or 3 then continue to deciding on your user accounts and domains. à

Google Apps in a Primary School – Getting Started guide

Posted on November 24, 2009July 11, 2011 by primaryt

Considerations

What is Google Apps?

Google Apps is a Google provided alternative to a very popular Word processing and spreadsheet editing application frequently used in Primary Schools. Google Apps also includes Google Sites (Individual sites & wikis) Gmail, Google Calendars and Google Talk. Google Apps is free for schools. More information on Google Apps can be found at http://google.com/apps/

Is Google Apps right for your primary school?

Google Apps Education edition requires internet connectivity to function. If your school has unreliable internet then Google Apps may not be for you. If you allow pupils to take devices home or they have computers at home then Google Apps is probably for you as you can access the same files from anywhere with an internet connection. Truthfully speaking a lot of schools that move from Microsoft products to Google Apps do it when they review their licensing cost or are due a large upgrade. Microsoft Office costs £32 per machine for an educational VLK license, as more devices go into schools this cost is increasing and pupils are encouraged to continue learning outside of the school; can your school and your pupil’s parents afford this cost?

The 3 main benefits of Google Apps.

1. Stability and remote storage – work is saved on the internet.

2. Collaboration – Pupils and teachers can easily share work.

3. Accessibility – Work can be accessed from home or school.

Education Edition Vs Standard Edition.

http://sites.google.com/site/colettecassinelli/apps – This website shows the Pros and Cons Google Apps Education Edition Vs a standard Google account. Google Standard Edition requires for the child to be 13+ so it is not really possible to use standard edition without extra considerations. One big pro the site doesn’t mention is that with Google Apps Education edition you can use single sign on in the form of shibboleth. This removes the maintenance of creating “per pupil accounts” and also Shibboleth handles what user information is passed making the data protection much easier to manage. I have only documented the Education Edition sign up for the above reasons and this is our recommended solution.

How long will it take for me to configure?

The maximum time from start to finish is 1 week, this is due to Google approving the establishment’s entitlement to the service. If you decide to do all of the configuration work yourself it will take about 2/4 hours depending on your technical understanding and ability and access to a DNS control panel for your domain. You may chose to get your schools parents to sign an acceptable use policy, there is an example Agreement available for UK schools here à http://primaryschoolteaching.co.uk/pg/pages/view/8763/

Google Apps is right for me, Continue to the preparation of a Primary School Google Apps Education Edition à

Example Google Apps Education Edition Acceptable Usage Policy (UK)

Posted on November 23, 2009July 11, 2011 by primaryt

I wanted to make sure schools had an Acceptable Usage Poilcy if they chose to use Google Apps so I put one online.

I have modified this AUP written for the USA for use in the UK.

Here is the link to the UK version – Example Google Apps Education Edition Acceptable Usage Policy (UK)

Shibboleth IDP configuration for multiple organizations & Google apps

Posted on November 21, 2009October 30, 2010 by primaryt

So you want to configure your IDP to allow logins from multiple organizations google apps? IE you want SchoolA to sign into http://docs.SchoolA.com and SchoolB to sign into http://docs.SchoolB.com.

The documentation on googles site isn’t very clear so here are some step by step instructions.

Before you even make a start, backup ALL of your IDP configuration files.

PreReqs:

Working IDP
Google Apps Educational Account
CNAME records set for docs.SchoolA.com and docs.SchoolB.com

Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.

Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.

It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.

Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.

1. Log into your google apps admin account at http://google.com/a/SchoolA.com

2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuer

You are done in Google Apps. Congrats.

3. Ssh into your IDP

4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..

5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read

<EntityDescriptor entityID="google.com/a/schoola.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoola.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

6. Copy google-metadata.xml to google-metadata2.xml

7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read

<EntityDescriptor entityID="google.com/a/schoolb.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoolb.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

8. Edit /etc/shibboleth/relying-party.xml

9. Smile

10. Make me a cup of tea

11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…

<RelyingParty id="google.com/a/schoola.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<RelyingParty id="google.com/a/schoolb.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

12. Search for Google.com again – look for the MetadataProvider section

13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:

<MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" maintainExpiredMetadata="true" />
<MetadataProvider id="GoogleMD2" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata2.xml" maintainExpiredMetadata="true" />

Congrats, you are done in relying-party.xml!

14. Edit /etc/shibboleth/attribute-filter.xml

15. Search for google.com

16. Edit the value to read “google.com/a/schoola.com”

17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.

It should read:

<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoola.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoolb.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.

My winter plans

Posted on November 18, 2009July 11, 2011 by primaryt

I just finished all of my 2009 projects so now I have till January to fill in my calendar. Thankfully I get this as holiday time so I’m going to set myself some goals:

Goal 1 – Get wind turbine up.

Goal 2 – Get quote to replace window frames.

Goal 3 – Get a structural engineer to check house.

Goal 4 – Fix cracks in walls.

Goal 5 – Get paintings for house by Cage One.

Goal 6 – Practice my cooking.

Goal 7 – Fix wood storage shed roof.

Goal 8 – Complete some computer games.

Goal 9 – See my God son

I’m thinking about doing some investigative journalism into Bradford and it’s “hole”, maybe putting together a short 20 minute video but it sounds like a lot of effort for very little reward. I also think someone in my position should probably not go around upsetting the city councillors… What are your feelings about this?

Even though I’m off work for a while I will still be attending JISC conferences.