Google Apps as Identity Provider

4
votes

Is it possible to use Google Apps as the identity provider in a SAML SSO set up? I was planning on using simpleSAML.php and I know you can build in authentication modules but I wondered if it was possible to build an authentication module using Google as the identity provider via the provisioning API?

We are going to be deploying Chromebooks - and they don't yet integrate with SSO, only with the main Google Apps user list. So rather than work of something like Ping Identity, it would be better just to use Google Apps as our identity provider to authenticate our other web apps.

Hope that makes sense.

3
phpgoogle-appssingle-sign-on
So I realise this is three and a half years old, but Google's just [announced SAML IdP support][1] for Google Apps. [1]: googleappsupdates.blogspot.com.au/2015/10/…TRS-80

3 Answers

6
votes

YES, since a few months ago. It is actually pretty simple. You can follow this two links for current info:

https://support.google.com/a/answer/6087519?hl=en

https://robinpowered.com/blog/how-to-set-up-saml-with-google-apps/

3
votes

Google (Apps) accounts can be used as an OpenID identity provider. By implementing your app as as a relying party, you could authenticate your users based on their Google accounts. Much like stackoverlow Google login: http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html

With SAML SSO, Google acts as a relying party. While its possible to use provisioning API and clientLogin, this is not supported and is possibly against Google Apps ToS,

2
votes

No, you cannot use Google as a SAML Identity Provider, only as the Service Provider.

(as per response from @jukka-dahlbom)