How to use ADFS with Google Apps while still allowing gmail on mobile

Question

I've been asking Google but cannot come up with an answer:

I would like to implement an ADFS server locally for my organization. This would be an SSO location for all apps, internal and DMZ and partner. In this case, Google is a partner (Apps for Buisness). We would like an ADFS page to use SAML2.0 to authenticate to Google. I know this is possible.

The question I have is how this affects users who add their Gmail mail and calendars to their mobile devices. Do I somehow have to sync usernames and passwords with the Googles or would it somehow still work?

Answer 1

For mobile devices and desktop thick clients (mail, calendar) each user will need to have a local password stored in Google Apps. Even Android/iPhone phones need to register with GABE with a Google username/password. Web Browser users can use SAML2.0 and authenticate against your local IDP and SSO into Google Apps.

You can sync passwords from your local enterprise store to Google Apps or you can use a tool like PingFederate + Google Connector that will not only allow SAML2 SSO but also provision/deprovision users via the Google Apps API. It also includes a password reset tool to manage the Google Apps password that Google maintains.

HTH - Ian

Answer 2

Yes - it is possible to federate Google Apps and ADFS.

Although I've never done it, you would probably click on "Advanced Tools" in the Authentication section of the Google Apps administration console and select "Set up single sign-on (SSO)" while configuring the federation.

Your mobile users should then be able to use their organisation credentials to log-on to Gmail.