What comes with Google Workspace for Education Fundamentals (GWEF, for short)?
Y'know, why don't we let Google answer that question for you? Read all about Google Workspace for Education Fundamentals (or whatever they're calling it this week).
Would you mind giving an overview of how this works?
Populi and GWEF integrate by means of Single Sign-On, which lets a user access multiple software programs through a single login. In this arrangement, a user logs in to Populi with his username and password; when he accesses GWEF (via the Email or Calendar links in Populi), Populi automatically authenticates that user so he won't need to also log in to Google.
The integration links Google and Populi so that Populi usernames must match up with a Google email address. For instance,
email@example.com in Populi must equal
firstname.lastname@example.org in Google. So, Jim Roberts logs in to Populi with username
jimbob, and when he clicks the Email app in Populi to open GWEF, his email account is
Effectively, the integration replaces Populi Email and Calendar with Google's Gmail and Calendar—and enables simpler access to a user's other GWEF programs. In this setup, Google hosts your Email and Calendar on their own servers.
There are some limitations to the integration, however (which is natural when you link two very different programs from two very different vendors). To take advantage of some of the integrated Email features in Populi (like Mailing Lists, the Activity Feed, one-click emailing for groups of people, etc.), you'll have to use Populi's native Email Compose window. It opens up whenever you click an email link within Populi—for instance, if you click Send Now on an Email Template. Such emails won't be saved in your Sent folder in Gmail... but they will show up on the relevant Activity Feeds for anyone to whom you sent the message. Likewise, messages sent from Gmail won't automatically appear in Activity Feeds, etc.
We have an existing GWEF account. How will integrating it with Populi affect those addresses, mailboxes, and so on?
Your existing mailboxes won't be harmed in any way with the integration. However, you'll need to take a little time to make sure the right people can get at the right messages post-integration.
So, please say it in as many words: what login credentials will I use, and where?
Your username and password for Populi and GWEF (and desktop email clients) will be identical. Keep in mind that if you want to change your password for any of these, you have to do so in Populi—it will then update Google. This doesn't work the other way around!
What happens when I add a GWEF account to an existing Populi user?
Owing to some vagaries in the Google API and Populi's authentication back-end, the next time that user tries to log in to Populi, he'll have to change his password.
We have some alias emails, like email@example.com, firstname.lastname@example.org, etc. How will those work now?
Let's say you have two email addresses: email@example.com and Admissions@school.edu. Your Registrar can access the first account, and all ten of your admissions staff have access to the second. Both addresses are basically aliases, but there are two different ways to manage them in Google (check with the GWEF documentation for the exact steps you'd take):
- For the Registrar, you'd create a "Nickname" in Google called
firstname.lastname@example.org, and associate it with your registrar's real username,
email@example.com. Once you do this, when someone emails
firstname.lastname@example.org, Jolene gets the message in her
- For Admissions, you'd create a "Group" in Google called
Admissions@school.edu, and you'd put all your Admissions people in that group—
email@example.com, and so on for the whole gang. Then, when someone emails
Admissions@school.edu, Joe, Jane, Aloysius, and the rest of the crew all get the message in their respective Gmail inboxes.
What about desktop email clients? Do we need to change anything there?
Yes. You will need to enter your Populi password; you use the same password to log into Populi, GWEF, and your desktop email client.
We have a lot of accounts that we don't want to integrate with Populi. Can we still create accounts in Google that we don't intend to integrate with Populi? Does Populi only manage accounts in Google that it knows about?
Populi authenticates users into Google by means of a protocol called SAML (Security Assertion Markup Language), which means that Populi acts as an "identity provider" (it determines who the users are) and GWEF acts as a "service provider" (it lets those users do certain things, like check and send email). In other words, once you complete the integration between Populi and GWEF, everyone has to log in to Google using their Populi credentials. So, Populi has to know about every account in GWEF.
If we delete a user account in Populi, does it delete the corresponding account in Google?
As a precaution against accidental Google account deletion, Populi simply suspends the GWEF account. If someone accidentally deletes a Populi user, we know it would totally stink to delete their Google email all at the same time.
To restore such a suspended user, click the "Enable email" box on the user's Populi profile, and Populi will attempt to create a new user account as normal. However, when it finds that their username already exists in Google as a suspended account, we'll just re-enable it instead.
Periodically, you should go through and clean out any suspended user accounts using the GWEF control panel.
One bit of clarification that might be helpful to add is that Populi becomes the "master" for Google after the integration. You might want to mention that this is a SAML integration and Google will now authenticate against Populi. Although this is kind of implied in this article (and the other Google article), it isn't explicitly stated and I didn't understand this until I had several e-mail and phone conversations.
Thanks Jeremiah for your comment. As I was reading the article above I was thinking to myself, "It sounds like Populi will be the new Admin for Google Apps". Maybe I'm just a jealous admin, but I don't like that AT ALL!
Perhaps an explanation about the choices we made...
We followed Google's own "best-practices" when we designed the integration between Google Apps and Populi. In the setup we pursued, Google recommends that Populi become the "identity provider" for Google Apps, which means that everyone in Google has to be in Populi. The advantages of this generally overwhelm the disadvantages (were Google the identity provider, for example, if you deleted a user in Google, you could end up deleting a student and all his records... that's just not an option in this setup).
We realize that this setup isn't absolutely ideal for all of our customers--many people have Google Apps users who don't really need access to Populi, but under the new setup, those people now have to have it--but the alternatives are a lot "less ideal". If Populi authenticated against Google, for instance, Populi's strong-password policy would have to be watered-down to accommodate Google's less-strict requirements.
The integration with Google Apps is a long-term feature that we're investing in, so if there are ways to improve it down the line, we're gonna be open to doing so.
I've updated the article accordingly. Thanks for posting here.
Question regarding mobile access to Google calendar. Some of our user's mobile devices don't have an app for the calendar, they just access the mobile site. When they attempt to log in, it simply fails (no message or anything). It seems that logging into Populi first on the device then allows access to the calendar (it works on my android phone), but these users can't do that, because their device only has an Opera browser built in. Any suggestions or a work around so these users can access the calendar on their devices?
If you want this as a support ticket, I can do that, I just thought other Google apps users might have this question too.
Wow. Opera is the only browser built in to these devices?!? That's a new one on us. Populi doesn't support Opera owing to its extremely-limited user base; so, there's nothing we can really do for them. What devices are they using?
The windows mobile user may have the option of installing a different browser, the other is using an INQ something or other, and there are no options for changing anything. He's already resigned to being out of luck, but I just thought I'd check & see of there was any other way into the calendar for him.
I understand why the Populi and GA credentials have to match. And for all new users that should not be a problem. What about the case where a faculty member, for instance, has a widely distributed/published email address that is not the same as Populi's? Short of saying, "Well, sorry Dr. Faculty-Member, the work you did that has earned you recognition here and there is not going to help people contact you because we have to change your email address, and you can start all over getting it 'out there,'" what is a good approach?
@James: I myself have several email addresses, which I forward to my own Google Apps email address. Google has a bunch of settings that let you more or less manage other email addresses from that GApps account—the most useful being, in this case, the "Send Mail As..." feature. He can use these settings from within his Populi Gmail account so that he'll receive all email sent to his recognized account and can send mail "from" that recognized account.
Or, he can just set up his Google Apps account to forward all his email to his recognized account.
Yet another option: if his recognized account uses @fwbbc.edu, then you can change his Populi username to be the same as his email address. For example, if his famous email is firstname.lastname@example.org and his current Populi/GApps email is email@example.com, just change his usename from clarkkent to superman. Use the instructions provided here (scroll down to "changing" a username) to do so. If you take this route, just ignore any warning about deleted email—that warning doesn't apply to our GApps users.