Hi Patricia, So, just to be clear, there is no supported way to authenticate against Google as an Identity Provider, or to initiate a passive login to Google Apps via Idp initiated SAML response. We don't support a use case in which SSO login can be selectively targeted - either it's on, or it's off.
We only support cases in which users first request Google Apps resources - in this case, the customer's Identity Provider is designated as the canonical source of user identity. Our SSO system is designed to be used with a SAML 2.0 compliant Identity Provider - it requires that the user initiate a SAML request from Google Apps, is redirected to the customer's Identity Provider for authentication, which then provides a SAML response back to Google. Other use cases are simply not supported. - Michael On Feb 23, 7:37 am, "Patricia Goldweic" <[email protected]> wrote: > After posting this, I actually realized that there are ways one can deal > with the captcha exception within the code (even if it just pointing to user > to a page to unlock it). This is definitely better than having to disable > SSO to let someone do this(!). In any case, I would still like to know > whether there are any recommended alternatives to implement such login > screen within a SAML SSO provider. Thanks, > > -Patricia > > From: [email protected] > [mailto:[email protected]] On Behalf Of Patricia > Goldweic > Sent: Tuesday, February 22, 2011 1:04 PM > To: [email protected] > Subject: [google-apps-apis] FW: what's the recommended way to authenticate a > Google Apps user against Google's internal db? > > Hi, > > Could somebody from Google please answer the post I created back on February > 9th? I have a need to implement a login screen within a (test) SAML SSO > provider, which, given the lack of proper credentials from a third party > application, resorts to the regular Google authentication. In other words, > in this last case (because, for example, the code is not able to retrieve > cookies placed by the third party app), it needs to perform the same type of > authentication that Google would perform were the user to login through the > regular (non-SSO) login screen. When testing out today the mechanism I > described in the original post, with one particular user, the process went > through continuous captcha/invalid credentials exceptions even though the > user was login in with the right credentials. The only way I could resolve > this was to *disable* SSO to let them log in through the regular Google > login screen, and then re-enable SSO (!!!). I am trying to find an > alternative that follows recommended practices and that *actually* works in > all cases. Could you please help? > > Thanks in advance > > From: Patricia Goldweic [mailto:[email protected]] > Sent: Wednesday, February 09, 2011 2:29 PM > To: '[email protected]' > Subject: what's the recommended way to authenticate a Google Apps user > against Google's internal db? > > Hi, > > For testing (non-production) purposes, I'm writing a SAML SSO provider that > is able to provide a Google Apps login screen/form to the user, and I'd like > to know what's the recommended way to do this authentication within the SAML > provider. From past posts to this forum, I realized that I could create an > AppsForYourDomainClient (I am using the gdata java client libraries) with > the given credentials, and approve the access if no exception is thrown. > However, I wonder if this is the recommended way of doing this check, or if > there is a better one. Or, should the provisioning api actually be used > instead for this (doing password comparison)? Please advise. Thanks, > > -Patricia > > -- > You received this message because you are subscribed to the Google Groups > "Google Apps Domain Information and Management APIs" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group > athttp://groups.google.com/group/google-apps-mgmt-apis?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
