Using Connect for Chromebooks
Note: This topic applies to the Inverness Release.
The Chromebook authentication feature allows internal users to authenticate themselves using their Google credentials, whilst enforcing organizational web filtering policies wherever they are located.
The Connect for Chromebooks extension is a custom utility that can be deployed to all Chromebooks on your network. Once the user is logged into the Chromebook, Connect for Chromebooks handles any subsequent authentication requests.
You can choose to either:
Use Google verification
| | Provides another level of authentication security |
| | Suitable for Bring Your Own Device (BYOD) network configurations |
| | Suitable for non-enrolled Chromebooks |
Tip: The Google verification knowledge base article provides step-by-step instructions for setting up Google verification with Connect for Chromebooks, including how to get the Client ID and Client Secret needed before continuing with the configuration on this page.
or
Trust users' G SUITE domain credentials
| | More straight-forward setup for networks that have more control over the Chromebooks |
| | Suitable for enrolled Chromebooks |
| | Must have a Google directory connection configured on the Smoothwall |
Tip: The Google as a directory knowledge base article provides step-by-step instructions for setting up a Google directory connection with Connect for Chromebooks.
To prevent users from bypassing the web filter, you should ensure the Chromebook devices are enrolled, and unwanted extensions and applications are blocked from installing.
Note: Google Chromebooks allow multiple users to log into a single Chromebook device at any one time. For Connect for Chromebooks to work seamlessly, this feature needs to be turned off. For a detailed description of how to do this, refer to the Google documentation on http://admin.google.com.
Configuration for Both Authentication Methods
Irrespective of the authentication type utilized for your network, you must configure the following in the Chromebook page:
Enabling Connect for Chromebooks
| 1. | Go to Services > Authentication > Google. |
| 2. | From the Chromebook settings section, select Connect for Chromebooks. |
| 3. | Scroll down to the bottom of the page, and select Save changes. |
Validating the HTTPS Certificate
The HTTPS certificate presented by the Smoothwall must be validated by the Chromebooks. To do this, you must download the HTTPS certificate from your Smoothwall, and upload it to Google’s Admin console for distribution to the Chromebook devices.
Note: The Smoothwall appliance must be configured with a fully qualified hostname, for example, my.smoothwall.com. For a detailed description of how to change the hostname, see Changing the System Hostname.
Tip: Ensure the DNS server used by the Chromebooks maps the Smoothwall’s fully qualified hostname to the Smoothwall internal IP address used by the Chromebooks to connect to. All references to the client login page (see Customizing the Client Login Page) must be made using the fully qualified hostname.
You must first verify that the certificate uses the correct hostname. Although the procedure for checking the hostname differs from browser to browser, you generally:
| 1. | Browse to the Smoothwall administration user interface using the fully qualified hostname via HTTPS, on port 442, for example: |
https://my.smoothwall.com:442
| 2. | Click the padlock icon from the URL bar. |
| 3. | Click View certificates. |
| 4. | Confirm that the hostname used in the certificate is the fully qualified hostname. This is the name listed against Issued to. |
If the fully qualified hostname is not used by the certificate, see Changing the System Hostname for a detailed description of how to change the hostname.
If the fully qualified hostname appears in the certificate, download the certificate as follows:
| 1. | Go to Services > Authentication > Google. |
| 2. | Scroll down to the Chromebook settings section. |
| 3. | From HTTPS Certificate, click Download certificate. |
| 4. | If you manage your Google directory from the same machine, click Open the Google Admin console in a new window. |
If not, copy the downloaded HTTPS certificate to the relevant machine, and go to the Google Admin console.
| 5. | Upload the certificate to the Google Admin console’s Manage Certificates module to deploy it to all Chromebooks in your organization. Our knowledge base article provides a detailed description of how to upload this certificate to the Google Admin console. |
Tip: Ensure Use this certificate as an HTTPS certificate authority is selected for the Smoothwall’s HTTPS certificate in the Manage certificates dialog of the Google Admin console.
Note: The above instructions are correct at the time of writing. Google feature names and links may change over time.
For a detailed description of how to change the HTTPS certificate used for Connect for Chromebooks, see Selecting the Certificate for User-Facing HTTPS Services.
Determining Domain Behavior
You can choose to accept logins only from approved domains, by listing them in your Smoothwall. This way, users from non-approved domains can still log into their Chromebooks using their Google credentials, but are placed in the Unauthenticated IPs group (see Managing Groups of Users) and filtered accordingly.
Alternatively, you can list the domains in your Google Admin Console. However, it should be noted that using this methodology, users from unlisted domains are unable to log into their Chromebook devices.
| 1. | Go to Services > Authentication > Google. |
| 2. | Scroll down to the Domain logins section. |
| 3. | From the Google settings section, select Approved domains. |
| 4. | Within the Allow logins from the following domains: box, list the accepted domains, with each one on a new line. |
| 5. | Use Remove domain name if your directory service does not require the domain name, that is, @domain.com, to form part of the username for authentication purposes, such as, G Suite and Active Directory domains. |
Note: If you are using the Google directory service for user group mappings, do not enable this option as the full email address is required as the username.
| 6. | Scroll down the bottom, and click Save changes. |
Depending on whether you have chosen to use Google verification, or to trust the G Suite domain authentication, complete the relevant section below.
Using Google Verification
With this setup, Connect for Chromebooks communicates with Google's OpenAuth (OAuth) servers to confirm the user credentials presented.
| 1. | Go to Services > Authentication > Google. |
| 2. | From the Google settings section, select Validate user identity. |
Additional parameters are made available to you:
Configuring the Google Web Application
The Smoothwall must be assigned a Google Client ID and Client Secret, obtained through the Google Developer console. This allows the Smoothwall and Connect for Chromebooks to send authorization request to Google OpenAuth (OAuth) servers.
You must create these before continuing with the Connect for Chromebooks configuration. Our knowledge base article provides a detailed description of how to do this.
Tip: The Client ID and Client Secret are created as a web application within the OAuth module of the Google Developer console.
| 1. | Copy and paste the Google Client ID into the Client ID text box. |
| 2. | Copy and paste the Google Client Secret into the Client Secret text box. |
Customizing the Client Login Page
You can customize the login page users see when they first log onto the network via a Chromebook, to suit your organizational needs.
The following is an example of the expected layout of the login page:
You can change the logo, heading and main body of text. However, only static text and images can be used. You cannot use links to other HTML pages. The Google Sign in button must remain in case a manual login is required.
| 1. | Scroll down to the Client login page panel. |
| 2. | Configure the following: |
| • | Title — Enter a meaningful heading for the main body of text. |
| • | Image — To change the logo, click Choose File. Locate the relevant image, and click Open. |
Click the black arrow to view the uploaded image. The Smoothwall logo is provided as the default image if none has been uploaded.
| • | Text — Enter the text that will appear in the main body. |
Tip: It is recommended you include text advising that by using this Client login page, the user is granting permission for their login credentials to be sent to Google.
| 3. | Click Save changes. |
Note: The client login page is accessed from the following URL:
https://<hostname>:442/modules/auth/cgi-bin/google/login.fcgi
where hostname is the fully qualified hostname of the Smoothwall. For example:
https://my.smoothwall.com:442/modules/auth/cgi-bin/google/login.fcgi
From the Google Admin console, set this URL in the Pages to Load on Startup parameter. For more information, refer to the Google verification knowledge base article.
Additional configuration is required to complete this installation; go back to the Google verification knowledge base article.
Trusting G Suite Domain Authentication
With this setup, Connect for Chromebooks sends the supplied user credentials to the Smoothwall, which trusts they are for a valid Google account.
Prerequisites
You must ensure you have configured a directory on the Services > Authentication > Directories page, and synchronized the domain users and groups. Typically, this is either a G Suite domain, or an Active Directory domain using Google Active Directory Sync. For more information, see About Directory Services.
You must also ensure the time set on the Smoothwall matches the G Suite domain time as this causes the username synchronization to fail.
Verifying Users
As the G Suite domain has already verified the user when they logged into the Chromebook, further verification is not needed.
| 1. | Go to Services > Authentication > Google. |
| 2. | From the Google settings section, clear the selection for Validate user identity. |
This is only used where the Google OpenAuth service is used.
| 3. | Click Save changes. |
Deploying Connect for Chromebooks
Connect for Chromebooks does not require you to install the extension on a server for deployment to all Chromebooks. Instead, you must link to it from the Google Admin console, http://admin.google.com, which then includes it in the Chromebook configuration pushed out to all clients.
The Deploying Connect for Chromebooks knowledge base article provides full instructions for this.
Using Connect for Chromebooks with a Browser Home Page
Using the Google Admin Console, you can configure a common home page for all Chromebooks (referred to as Pages to Load on Startup in the Console). If you make use of this or a captive portal on startup, be aware that these may load faster than Connect for Chromebooks can authenticate the user. This may result in the page load being treated as originating from an unauthenticated user. However, after that, filtering does continue as normal.