Google Apps domain as OpenID provider

StackOverflow https://stackoverflow.com/questions/1203423

Question

  1. How can I make my Google Apps domain to be OpenID provider. Is there any documentation, tutorial, working example something?

  2. How to authenticate users in my own application using Google Apps domain authentication (I mean without OpenID). I've heard that it's something about gdata api but I don't know where to start. Are there any useful tutorials howtos or working examples?

I would like to know about free or open source solutions.

Was it helpful?

Solution

You don't have to do anything to make your Google Apps domain an openid provider. BUT, Google's special OpenID service for Apps for Domains requires OpenID relying parties to implement a special (proprietary) discovery mechanism and most RPs don't [yet]. So, if you're testing against that, it won't work.

One way to test is go to an OpenID RP that uses RPXNow. RPX is one of those RPs that do accept Google's new discovery mechanism. jyte.com for example. Try logging in there.

OTHER TIPS

Regardin question number 1, i've been working on this for the past few days now.

Check it out here: How do you delegate your OpenId to Google Apps

It appears Google doesn't allow delegation, so you can't just put the meta information in the header of your document. I believe you have to create a file called yourdomain.com/.well-known/host-meta that points to the XRDS file on the Google server. It's explained better on the discovery API page. Sorry, that's all jargon, but I don't know how otherwise to explain it.

For Google federated OpenID testing try: http://www.puffypoodles.com/

The delegation issue is better in the Google group for the OpenID federated login API.

Regarding question number 2, the federated login API provides OAuth goodness, so you can pull in user info and use auth tokens etc. Check the federated login API.

Hope that helps.

Their OpenID Federated Login Service looks like the place to start. It's based on OpenID and allows you to have users sign-in to your site using their Google Apps ID. It looks like it's not supported with Google Apps Standard edition.

http://code.google.com/apis/apps/sso/openid_reference_implementation.html

There is also the Single Sign-On framework that doesn't use OpenID which may be the answer to #2.

http://code.google.com/apis/apps/open_source_projects.html#sso

Lots of people posted about OpenID, so I'll answer your second question.

ClientLogin is the API you're after.

http://code.google.com/googleapps/domain/gdata_provisioning_api_v2.0_developers_protocol.html#client_login

Note that the link above is from the provisioning API doc, but it is not dependent on access to provisioning API, it's just where this info lives now.

Lots of examples in different languages there.

Caveats:

  • no single sign-on for this
  • Google will dislike you (they are trying to kill ClientLogin)
  • you will get occasional Captcha failures and will need to deal with those
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top