Change Google mail domain for SSO

Roman · May 23, 2018, 2:43pm

We are changing name of the company hence we want to change our email address domain.

I have added new domain in Google admin
Used GAM to change test user email, now I can login on gmail with my new@domain.com (redirects to SSO page, and after I enter my LDAP credentials, shows error below)
in Domain -> Mail OX I added new domain
For test user, I changed email to new in Users -> test username -> General tab
All needed changes done on DNS done as well

Here is the error I get:
G Suite - Invalid Email

I cannot change user emain on in Users -> test username -> Google apps tab.

Please advise how to change the email, I would need to do this for all users in the organization.
Thanks in advance.
Roman

Roman · June 1, 2018, 9:41am

The question may sound complicated so I had a little look around and can ask in a more simple way.

SimpleSAML currently creates new users and logs in with user.name@oldcompany.com

How can we change SimpleSAML to create and login users with user.name@newcompany.com ?

Thanks

Roman · June 1, 2018, 4:29pm

Researching further, I thought to just go ahead and change LDAP object value inside the UCS “brains”, however no luck.

# udm users/user modify --dn uid=user.name,cn=users,dc=location,dc=oldcompany,dc=com --set UniventionGoogleAppsPrimaryEmail=user.name@newcompany.com
Value may not change.: UniventionGoogleAppsPrimaryEmail

Any comments from UCS developers?

I suspect that SAML can support multiple domains. For example:
https://support.google.com/a/answer/6330801?hl=en

	<saml:Subject>
<saml:NameID
SPNameQualifier="google.com/a/yourdomain.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
>user@yourdomain.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://www.google.com/a/yourdomain.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen"
</saml:SubjectConfirmation>
</saml:Subject>

Maybe SAML can still pass value SPNameQualifier=“google.com/a/oldcompany.com”
Recipient=“https://www.google.com/a/yourdomain.com/acs”
and
>user@newcompany.com</saml:NameID>

troeder · June 4, 2018, 6:43am

Hi Roman,

you’ll have to redo the google connector setup wizard and use the new domain first. Then change the primary email address of a user to use the new domain. That should trigger the connector to change the stored login address.

To be able to use the wizard again, rename the current configuration file:

mv /etc/univention-google-apps/credentials.json /etc/univention-google-apps/credentials.json.old
service univention-directory-listener restart

Greetings
Daniel

Roman · June 4, 2018, 9:29am

Thanks for reply. Does that mean when we run google connector setup wizard, it will change SAML login domain for all users, or just for the ones whose primary email address we change in UCS?

It would be good to migrate users in batches.

troeder · June 4, 2018, 10:59am

Just changing the connectors configuration will not make it change users.
You’'ll have to set the primary email address of each user to the new domain.
You can script that on the command line with something like:

udm users/user modify --dn <DN> --set mailPrimaryAddress=<email@new.domain>

Greetings
Daniel