Google Apps SSO with SAML 2.0 into Google+

0
votes

My company is a Google Apps for Education customer and we provide our students the ability to log into their Google Apps accounts using their existing credentials. This is accomplished via SAML SSO to an endpoint which authenticates their existing application credentials. We're able to provide the users links to GMail, Docs and Calendar using the following URL syntax, per the google support documentation (under 'How does enabling SSO affect how users sign in?'):

https://<service>.google.com/a/<your_domain>.com

We're in the process of rolling out Google+ to our users and we haven't been able to find a way to link to Google+ that allows us to specify the domain to use for authentication. Without being able to do so, the user is prompted with the standard Google login page instead of our SAML SSO login page.

Using 'mail', 'docs' (or 'drive'), and 'calendar' as the <service> parameter in the above URL allows us to send to the user to the SAML SSO login page, but when we try to put 'plus' in as the <service> parameter, we get a 404 error.

Does anyone know if this is supported functionality for Google Apps customers using Google+? If so, what's the URL format to force a domain-specific login page?

1
single-sign-ongoogle-plusgoogle-appsgoogle-apps-for-education
This is probably off topic for Stack Overflow since it doesn't relate to programming. But, when you type "[email protected]" as username and example.com is SSO'ed on Google, it will prompt the user to click a link to proceed to the single sign on system when they click login (with or without a password).Steven V
Potentially helpful: Google+ released a new Google Apps-specific API today, which covers how to authenticate, how to make API calls, etc. This information could be generally helpful for you. googleplusplatform.blogspot.com/2013/08/connect-your-organization-to-google.htmlJoanna
@StevenV yeah, unfortunately that's the only solution available at this point, but it requires the user to enter their username twice. :-(Brian Weller
@Joanna That doesn't seem to offer any help for this particular issue, but I had not seen that release yet, so thank you for posting that. The Google+ Domains API functionality is something we've wanted for some time now.Brian Weller

1 Answers

2
votes

It took me a long time to figure this out, but here's how I solved it:

I found that if :

  1. I constructed the oauth call myself, and
  2. passed in a login_hint parameter where the value was an email address that would usually see my SAML screen.
  3. It would then redirect to the correct screen automatically.

I found this parameter mentioned here.

login_hint

Even though that document recommends that you use google+ for login, I couldn't find a way to pass a login_hint to the google+ login button.

I tried for awhile to get the button to use that parameter, but then gave up and used gapi.auth.authorize. There I passed in the login_hint parameter, but only for the case where I want the SAML screen to show.

I found documentation for this here.

Unfortunately, as the documentation mentions, you won't be able to use some of the g+ features (like over-the-air installs) using this method.

In general:

I don't think it's currently supported by the google+ login button.