Is it possible to use Google Apps as the identity provider in a SAML SSO set up? I was planning on using simpleSAML.php and I know you can build in authentication modules but I wondered if it was possible to build an authentication module using Google as the identity provider via the provisioning API?
We are going to be deploying Chromebooks - and they don't yet integrate with SSO, only with the main Google Apps user list. So rather than work of something like Ping Identity, it would be better just to use Google Apps as our identity provider to authenticate our other web apps.
Hope that makes sense.
YES, since a few months ago. It is actually pretty simple. You can follow this two links for current info:
https://support.google.com/a/answer/6087519?hl=en
https://robinpowered.com/blog/how-to-set-up-saml-with-google-apps/
Google (Apps) accounts can be used as an OpenID identity provider. By implementing your app as as a relying party, you could authenticate your users based on their Google accounts. Much like stackoverlow Google login:
http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
With SAML SSO, Google acts as a relying party. While its possible to use provisioning API and clientLogin, this is not supported and is possibly against Google Apps ToS,
No, you cannot use Google as a SAML Identity Provider, only as the Service Provider.
(as per response from #jukka-dahlbom)
Related
I use Google OAuth to sign in my Web Application which was created as a project in Google Cloud Platform i.e. Project1.
I have a user with custom role in this project. After I logged in with my Google account, I'm able to get userinfo using Google_Client (PHP library - google/apiclient). However, I'm having a hard time figuring out how to get the custom role for the logged in user. I tried using Google_Service_iam but get Uncaught Google_Service_Exception: 404 Not Found.
Is this a correct way of building a role based control web app utilizing Google IAM?
Although it would be somehow possible by building it yourself, I would not directly use IAM as an authentication provider. Instead, use the Identity Platform or something like Auth0 or Okta. Myself, I prefer Firebase Authentication, which integrates easily with all popular languages and frameworks.
IAM is meant to authorize users within GCP, and not in a custom web-app. In your setup, you would have to add every future user to Gsuite and IAM, which is very costly and not designed for this purpose.
I would recommend taking a look at the Authentication Strategies for application developers.
Since you need to grant to Google Cloud APIs on behalf of an end user, you may use the protocol OAuth 2.0 protocol. The application initiates an OAuth consent flow where you application will receive the user's credentials. With these credentials, it can call Google Cloud APIs on behalf of the user.
Another solutino as Nebulastic also suggested, is the Cloud Identity Platform, where you can configure custom claims to restrict a user's access to a resource depending on their role.
At my company we use Google Apps.
I've written a dashboard application (PHP/Laravel) which is used throughout the organization. It has a custom authentication system, but I'd like to integrate it with other services we use.
The basic use case that I'm interested in is something like this: you come in to the office in the morning, sign in to your email, and you're automatically signed in to the dashboard.
I've been looking at OAuth & reading about how to implement it, but it's not clear to me that it will do what I want.
So the basic question is this: what can Google OAuth do for me?
You can use Google+ Signin which is an OpenID Connect compliant SSO mechanism built on top of OAuth. By extending your applications with OpenID Connect Resouce Provider (RP) functionality and pointing them to Google as the Provider (OP) you would achieve SSO across your applications.
For a list of OpenID Connect RP libraries/implementations that you may leverage for your applications, see: http://openid.net/developers/libraries/
I want to build a PHP web app where users can log in with Facebook, Google, twitter or any other possible server and engage in some activities like voting and commenting. I won't be using any of the user's data from the service provider. So which one is better option OpenId or OAuth? or should I try implementing with the API of each provider?
I would recommend OpenID Connect.
Too many websites have an OAuth2 authentication API. For a list of the more major sites, see:
http://www.gluu.co/oauth-pocket-reference
This is simply un-tenable for web developers. OpenID Connect went final in Feb 2014. Google support it. Any other domain on the Internet that supports it could be supported automatically (i.e. as long as their domain supports OpenID Connect Discovery... publication of their endpoints at /.well-known/openid-configuration
NRI has an open source PHP OpenID Connect library: http://www.gluu.co/oidc-php-rp
If you support these legacy, proprietary consumer IDPs, it will be a pain in the neck as they slowly fall out of favor.
You may also look at a higher level interface like everyauth.com
I'm writing an Android app that will require folks to identify themselves. We figured that the best course of action is to NOT have folks register with our server since practically everybody has an account somewhere else with a major service (Google, Twitter, Facebook, Yahoo! for example).
The REST API is being built around CakePHP. This in itself isn't a sticking point for what I need, but the issue is more on the Android app along with its communication to our API. Essentially what I'd like to see is a user with X number of devices having the ability to login to a service they already have access to.
This identity would then be known by our server as an identity for that user. My app would then need a way to tell our API that "I am John Doe from service example.com, and here's proof". The servers would also accept a new device for the same identity and tie it in to that user.
I am stuck on some issues here:
OpenID seems to be the way to go (though I'm not sure if Twitter supports OpenID). But how can I do OpenID from my device? I don't need somebody to point me to OpenID for Java. This is NOT 100% of the answer I am looking for. Where is the website going to redirect to?
What will the authentication piece be like between my webserver and Android app? I'm not logging in. I'm using an OpenID. Should I just take some/all of the OpenID information and pass it to the webserver for storage, and then pass it again to check against for every API call?
Twitter not only does OpenID, but they also have a dedicated page talking about what the flow is and what you need to store. Google has a similar page for their login. The OpenID login flows are (for the most part) OAuth2.
I have a PHP application that will be accessed by users who are already
signed into Google ( the app runs in an iFrame on a Google Site that
requires Google login)
What is the best SSO approach that uses Google login, so users have
the same identity in both places?
Best to use a some OpenID opensource? .. zend/cake/symf plugin?
GoogleApps infrastructure? .. or a identity service like Janrain?
Is it too early to go with OpenID Connect? etc.
Thanks much.
OpenID works well - and indeed, is good enough for StackOverflow - you probably used it to register your account here.
There's an article called Getting Started with OpenID. Although it's on Zend's website, it doesn't seem to be tied to the Zend framework, so is a good starting point. It covers all the modules you need to download, and includes an example to help get you started.
Also take a look on simplesamlphp and its integration with Google:
Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps
Is an open source project based on php. Nice comunity and complete documentation.
Hi again I recently discovered this interesting project HybridAuth, an SSO PHP Library for authentication through identity providers like Facebook, Twitter, Google, Yahoo, LinkedIn, MySpace, Windows Live, Tumblr, Identica, LastFM, OpenID, PayPal, Vimeo, Foursquare, AOL, Viadeo, and others.
I didnt test it but seems also a good solution.