Wednesday, 24 October 2007

SAML Single Sign-On for Google Apps

Working with Google engineers over the past few days, one of our engineers today validated the use of PingFederate for establishing SAML single sign-on into Google Apps. Using our Integrated Windows Authentication (Windows IWA) integration kit, a user can log into Windows (to Active Directory), open their browser, and immediately gain secure SAML access to their Google email and other applications and documents. Below are the notes from the engineer who validated this interoperability.

======================

Configure an admin account for Googleapps. In the admin account, provide Google with the URL for its SSO service and upload your public key such that Google can verify your SAML.responses. That the only configuration necessary on the Googleapps account.

On the PingFederate side, create a new connection (in our test-case, we used the PingFederate IWA adapter) and defined the entityID and ACS URL for Google.

Below are the steps that describe how this works:

User makes a request to reach to a Google host application. In this case I was trying to access to Gmail account I had, and the URL for that was http://mail.google.com/a/pingidentity.com.
Google generates a SAML authentication request.
We receive the SAML request and then authenticate the user. Since we are using the IWA adapter, the user already has a valid session.
We generate a SAML response that contains the authenticated user's username and send it to Google ACS.
Google's ACS verifies the SAML response using our public key and redirects the user to the destination URL.
The user has been redirected to the destination URL and is logged in to GMail.

Of course, you can try all of this for free, just download PingFederate, get anactivation key, select an integration kit, and have at it. Future tech notes and a graphic explaining what we've done will follow.

Technorati Tags: google google apps pingfederate saml liberty id-ff openid single signon sso