Google Apps offers an OpenID API that allows end users to securely sign in to third party web sites using their Google Apps user account. The OpenID standard frees users from having to set up separate login accounts for different web sites--and conversely, frees web site developers from the task of managing login information and security measures. OpenID achieves this goal by providing a framework in which users can establish an account with an OpenID provider, such as a Google Apps hosted domain, and use that account to sign into any web site that accepts OpenIDs.
Google Apps API supports the OpenID 2.0 Directed Identity protocol, allowing any hosted domain to provide authentication support as an OpenID provider. On request from a third-party site, Google authenticates users who are signing in with an existing Google Apps account, and returns to the third-party site an identifier that the site can use to recognize the user. This identifier is consistent, enabling the third-party site to recognize the user across multiple sessions. The OpenID API also supports the following extensions:
OpenID Attribute Exchange 1.0 allows web developers to access, with the user's approval, certain user information stored with Google, incluing user name, email address, country and preferred language.
OpenID+OAuth Hybrid protocol lets web developers combine an OpenID request with an OAuth authentication request. This extension is useful for web developers who use both OpenID and OAuth, particularly in that it simplifies the process for users by requesting their approval once instead of twice.
For the Enterprise and the organization, the Google Apps OpenID API enables a Universal Single Sign-on service. A single Google Apps login can provide secure access to Salesforce.com, additional Saas and on-demand solutions, B2B partners, internal applications and consumer web sites. See our blog post for more details and examples.
For more information on the OpenID framework, refer to the following specifications:
See also the Federated Login for Google Account Users and Google Group on Federated Login for discussion on using Google's OpenID API.
Note: The Federated Login Service is disabled by default for Google Apps Premier and Education Editions. The domain admin can enable it from the Control Panel at http://www.google.com/a/cpanel/<your-domain>/SetupIdp.
This section provides a high-level overview of how OpenID authentication works.
OpenID login authentication for web applications involves a sequence of interactions between thre 3rd party web application, the Google Apps hosted domain, Google domain, Google's login authentication service, and the end user. The diagram and sequence below describe the process as recommended by Google. For simplicity, the diagram covers the flow in which discovery is done on the Google domain. See the Google Apps Relying Party Discovery Documentation (experimental) for the complete flow and examples.
Note: It is highly recommended that domain admins post a host-meta filedocument as described in the Discovery Documentation.
This image illustrates the following steps.
Note: In some circumstances the login step or the approval step (or both) may be skipped.
You can design your federated login page in any way that fits your site; the page simply needs to (1) solicit information from the user about how they want to sign in, and (2) trigger the sign-in process. The traditional OpenID specification called for a login box or other text entry field that required the user to supply some kind of identifier. For Google Apps directed identity approach, we recommend any of the following options:
We recommend keeping the interface as simple as possible. Visit the User Experience summary for Federated Login Google Sites page, where you can find links to demos, mocks and usability research data.
|
