Ok, thanks for the response Michael. Just to clarify: this was intended as a 'test' provider, not production one. But also, my use case was not one in which the SAML SSO would be selectively targeted. In fact, I expect it to be always on, and functioning the way it is supposed to. The use case was meant to be as follows: the SSO provider needs to support *all* logins, including those coming from a trusted third party app and those who don't, and presumably needs to be able to authenticate in both cases (in the first case, it may use an LDAP provider to do so, while in the second, it does not have such an external provider available - these users may just be plain Google users who are not part of the ldap database). In any case, I understand that this is simply a non-supported use case. Thanks again, -Patricia
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Manoochehri Sent: Wednesday, February 23, 2011 11:06 AM To: Google Apps Domain Information and Management APIs Subject: [google-apps-apis] Re: FW: what's the recommended way to authenticate a Google Apps user against Google's internal db? Hi Patricia, So, just to be clear, there is no supported way to authenticate against Google as an Identity Provider, or to initiate a passive login to Google Apps via Idp initiated SAML response. We don't support a use case in which SSO login can be selectively targeted - either it's on, or it's off. We only support cases in which users first request Google Apps resources - in this case, the customer's Identity Provider is designated as the canonical source of user identity. Our SSO system is designed to be used with a SAML 2.0 compliant Identity Provider - it requires that the user initiate a SAML request from Google Apps, is redirected to the customer's Identity Provider for authentication, which then provides a SAML response back to Google. Other use cases are simply not supported. - Michael On Feb 23, 7:37 am, "Patricia Goldweic" <[email protected]> wrote: > After posting this, I actually realized that there are ways one can > deal with the captcha exception within the code (even if it just > pointing to user to a page to unlock it). This is definitely better > than having to disable SSO to let someone do this(!). In any case, I > would still like to know whether there are any recommended > alternatives to implement such login screen within a SAML SSO > provider. Thanks, > > -Patricia > > From: [email protected] > [mailto:[email protected]] On Behalf Of Patricia > Goldweic > Sent: Tuesday, February 22, 2011 1:04 PM > To: [email protected] > Subject: [google-apps-apis] FW: what's the recommended way to > authenticate a Google Apps user against Google's internal db? > > Hi, > > Could somebody from Google please answer the post I created back on > February 9th? I have a need to implement a login screen within a > (test) SAML SSO provider, which, given the lack of proper credentials > from a third party application, resorts to the regular Google > authentication. In other words, in this last case (because, for > example, the code is not able to retrieve cookies placed by the third > party app), it needs to perform the same type of authentication that > Google would perform were the user to login through the regular > (non-SSO) login screen. When testing out today the mechanism I > described in the original post, with one particular user, the process > went through continuous captcha/invalid credentials exceptions even > though the user was login in with the right credentials. The only way > I could resolve this was to *disable* SSO to let them log in through > the regular Google login screen, and then re-enable SSO (!!!). I am > trying to find an alternative that follows recommended practices and that *actually* works in all cases. Could you please help? > > Thanks in advance > > From: Patricia Goldweic [mailto:[email protected]] > Sent: Wednesday, February 09, 2011 2:29 PM > To: '[email protected]' > Subject: what's the recommended way to authenticate a Google Apps user > against Google's internal db? > > Hi, > > For testing (non-production) purposes, I'm writing a SAML SSO provider > that is able to provide a Google Apps login screen/form to the user, > and I'd like to know what's the recommended way to do this > authentication within the SAML provider. From past posts to this > forum, I realized that I could create an AppsForYourDomainClient (I am > using the gdata java client libraries) with the given credentials, and approve the access if no exception is thrown. > However, I wonder if this is the recommended way of doing this check, > or if there is a better one. Or, should the provisioning api actually > be used instead for this (doing password comparison)? Please advise. > Thanks, > > -Patricia > > -- > You received this message because you are subscribed to the Google > Groups "Google Apps Domain Information and Management APIs" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group athttp://groups.google.com/group/google-apps-mgmt-apis?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
