I followed this tutorial to integrate with Google Apps. http://code.google.com/googleapps/marketplace/tutorial_java.html
If you follow the tutorial, you end up with a servlet to handle SSO requests at "/openid?hd=mydomain.com". BTW, I didn't see any way to build the SSO integration required by Google Apps using appengine's UserService, but maybe I was missing something. Anyway, the good thing about going this route is that you have a single hook for people signing in with Google Apps. I just store the email, domain, and claimed_id in my user model. This ensures that if someone signs is using the same email but they use a different openID provider (other than Google Apps) I'll treat it as a completely different account since that code path will still use appengine UserService and won't store a domain for that user. IOW, a unique user in my system is identified by the email address and also the domain. In fact, you can sign-in to my app using appengine's federated login and then sign-in using Google Apps SSO and use the same email address for both and it will be seen as two accounts. Because the first account will be created with null in the domain column and the second account will actually populate that column with the domain. With such a scheme, if your import creates a bunch of user records, just be sure to include a special column for the domain in addition to the email and id. This way when the user logs in to your app for the first time you won't get confused if there's two users objects with the same email address. Does that make sense? Stephen -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/Hgi03JXfTboJ. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.