Thoughts
Homepage
Pictures

 

Going Places. Destination Yet Unknown.

d-Permalink:  10.24.2007

SAML SSO for Google Apps

Working with Google engineers over the past few days, one of our engineers today validated the use of PingFederate for establishing SAML single sign-on into Google Apps. Using our Integrated Windows Authentication (Windows IWA) integration kit, a user can log into Windows (to Active Directory), open their browser, and immediately gain secure SAML access to their Google email and other applications and documents. Below are the notes from the engineer who validated this interoperability.

======================

Configure an admin account for Googleapps. In the admin account, provide Google with the URL for its SSO service and upload your public key such that Google can verify your SAML.responses. That the only configuration necessary on the Googleapps account.

On the PingFederate side, create a new connection (in our test-case, we used the PingFederate IWA adapter) and defined the entityID and ACS URL for Google.

Below are the steps that describe how this works:

  1. User makes a request to reach to a Google host application. In this case I was trying to access to Gmail account I had, and the URL for that was http://mail.google.com/a/pingidentity.com.
  2. Google generates a SAML authentication request.
  3. We receive the SAML request and then authenticate the user. Since we are using the IWA adapter, the user already has a valid session.
  4. We generate a SAML response that contains the authenticated user's username and send it to Google ACS.
  5. Google's ACS verifies the SAML response using our public key and redirects the user to the destination URL.
  6. The user has been redirected to the destination URL and is logged in to GMail.

 Of course, you can try all of this for free, just download PingFederate, get anactivation key, select an integration kit, and have at it. Future tech notes and a graphic explaining what we've done will follow.

Created 10/24/2007; 9:51:03 AM. Updated Tuesday, May 6, 2008 at 2:59:39 PM
(C) 2008 Andre Durand - Federated Identity Management
archives: Archives
October 2007
Sun
Mon
Tue
Wed
Thu
Fri
Sat
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
Sep   Nov


rssfeed: RSS

Lighter Side of Identity

yellowarrow: Paris Hilton Password

yellowarrow: Qwerty 2.0

yellowarrow: Invention of Post It

yellowarrow: Bush on Passwords

yellowarrow: Password Hell

yellowarrow: Identity Hype Cycle

yellowarrow: Identity Zeitgeist

yellowarrow: Crunchy


Websites

yellowarrow: Ping Identity
yellowarrow: SourceID Open Source   

yellowarrow: Digital ID World Online

yellowarrow: Conference 2007

Identity Essays
yellowarrow: 3 Layers of Identity

yellowarrow: 3 Phases of ID Adoption

yellowarrow:  3 Profiles of Federation

yellowarrow: Digital Identity Rights

yellowarrow: Digital Reputations
yellowarrow: Global Consciousness

yellowarrow: Federated Identity Mgmt

yellowarrow: Primary Authenticators