At my company we use Google Apps.
I've written a dashboard application (PHP/Laravel) which is used throughout the organization. It has a custom authentication system, but I'd like to integrate it with other services we use.
The basic use case that I'm interested in is something like this: you come in to the office in the morning, sign in to your email, and you're automatically signed in to the dashboard.
I've been looking at OAuth & reading about how to implement it, but it's not clear to me that it will do what I want.
So the basic question is this: what can Google OAuth do for me?
You can use Google+ Signin which is an OpenID Connect compliant SSO mechanism built on top of OAuth. By extending your applications with OpenID Connect Resouce Provider (RP) functionality and pointing them to Google as the Provider (OP) you would achieve SSO across your applications.
For a list of OpenID Connect RP libraries/implementations that you may leverage for your applications, see: http://openid.net/developers/libraries/
Related
I want to build a PHP web app where users can log in with Facebook, Google, twitter or any other possible server and engage in some activities like voting and commenting. I won't be using any of the user's data from the service provider. So which one is better option OpenId or OAuth? or should I try implementing with the API of each provider?
I would recommend OpenID Connect.
Too many websites have an OAuth2 authentication API. For a list of the more major sites, see:
http://www.gluu.co/oauth-pocket-reference
This is simply un-tenable for web developers. OpenID Connect went final in Feb 2014. Google support it. Any other domain on the Internet that supports it could be supported automatically (i.e. as long as their domain supports OpenID Connect Discovery... publication of their endpoints at /.well-known/openid-configuration
NRI has an open source PHP OpenID Connect library: http://www.gluu.co/oidc-php-rp
If you support these legacy, proprietary consumer IDPs, it will be a pain in the neck as they slowly fall out of favor.
You may also look at a higher level interface like everyauth.com
Is it possible to use Google Apps as the identity provider in a SAML SSO set up? I was planning on using simpleSAML.php and I know you can build in authentication modules but I wondered if it was possible to build an authentication module using Google as the identity provider via the provisioning API?
We are going to be deploying Chromebooks - and they don't yet integrate with SSO, only with the main Google Apps user list. So rather than work of something like Ping Identity, it would be better just to use Google Apps as our identity provider to authenticate our other web apps.
Hope that makes sense.
YES, since a few months ago. It is actually pretty simple. You can follow this two links for current info:
https://support.google.com/a/answer/6087519?hl=en
https://robinpowered.com/blog/how-to-set-up-saml-with-google-apps/
Google (Apps) accounts can be used as an OpenID identity provider. By implementing your app as as a relying party, you could authenticate your users based on their Google accounts. Much like stackoverlow Google login:
http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
With SAML SSO, Google acts as a relying party. While its possible to use provisioning API and clientLogin, this is not supported and is possibly against Google Apps ToS,
No, you cannot use Google as a SAML Identity Provider, only as the Service Provider.
(as per response from #jukka-dahlbom)
I have a PHP application that will be accessed by users who are already
signed into Google ( the app runs in an iFrame on a Google Site that
requires Google login)
What is the best SSO approach that uses Google login, so users have
the same identity in both places?
Best to use a some OpenID opensource? .. zend/cake/symf plugin?
GoogleApps infrastructure? .. or a identity service like Janrain?
Is it too early to go with OpenID Connect? etc.
Thanks much.
OpenID works well - and indeed, is good enough for StackOverflow - you probably used it to register your account here.
There's an article called Getting Started with OpenID. Although it's on Zend's website, it doesn't seem to be tied to the Zend framework, so is a good starting point. It covers all the modules you need to download, and includes an example to help get you started.
Also take a look on simplesamlphp and its integration with Google:
Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps
Is an open source project based on php. Nice comunity and complete documentation.
Hi again I recently discovered this interesting project HybridAuth, an SSO PHP Library for authentication through identity providers like Facebook, Twitter, Google, Yahoo, LinkedIn, MySpace, Windows Live, Tumblr, Identica, LastFM, OpenID, PayPal, Vimeo, Foursquare, AOL, Viadeo, and others.
I didnt test it but seems also a good solution.
Is there a standardized way to set up AD authentication for a web service that does not have direct access to the AD controller? I'm thinking of a cloud application such as Google Apps that wishes to authenticate against an organization's AD.
I have googled around quite a bit but I don't seem to know the right keywords. Maybe someone else can elighten me or give me some search pointers.
FWIW, our applications are written in PHP using Zend Framework.
The most elegant solution to your problem would be using identity federation. The basic idea is to authenticate your user locally like you do on your regular apps and send a security token to your cloud provider, proving the identity of your users.
SAML is the most common federation protocol used for achieving this. Google has a nice page explaining the details and the wikipedia page is also insightful:
There are plenty of identity federation solutions, for example:
Active Directory Federation Services (ADFS)
SimpleSAMLphp
Shibboleth
OpenAM
SimpleSAMLphp may be a good start to familiarize with SAML, as it is.. simple :)
The procedure to connect it to google apps is described here.
ADFS would be an AD-centric solution, but is a bit more complex to configure.
How can I integrate OpenID into my website so people can login with their Google, Twitter, or Facebook credentials?
Did you bother to look at the OpenID site?
Here's a list of libraries, there's a ton of options for PHP.
Here's a list of plugins for popular content management scripts.
Janrain User Management Platform (JUMP)
You need to use a mixture of technologies to achieve that. OpenID is technology that will allow your users to login with Google (and Yahoo and many other providers), Twitter and Facebook both are using OAuth protocol but it's easier to grab a API specific for given vendor.
I've implemented a ready made solution (working demo) that makes use of LightOpendID (to allow login with Google/Yahoo account), Facebook and Twitter APIs, you can grab it on github.