Tuesday, July 28, 2009

Google Apps + OpenID = identity hub for SaaS

We're happy to announce that the Google OpenID Federated Login API has been extended to Google Apps accounts used by businesses, schools, and other organizations. Individuals in these organizations can now sign in to third party websites using their Google Apps account, without sharing their credentials with third parties.

In addition, Google Apps can now become an identity hub for multiple SaaS providers, simplifying identity management for organizations. For example, when integrated with partner solutions such as PingConnect from Ping Identity, the Google Open ID Federated Login API enables a single Google Apps login to help provide secure access to services like Salesforce.com, SuccessFactors, and WebEX — as well as B2B partners, internal applications, and of course consumer web sites. See Ping Identity's post to learn more about their implementation and view the demo.


Another early adopter is Manymoon.com, a SaaS project management vendor that implemented the Google Open ID Federated Login API directly to make it easier for any organization using Google Apps to sign up for and deploy Manymoon to their users:

In the Manymoon Login page, the user chooses to log in using a Google Apps account

The user types in his Google Apps email address. The user never gives away his Google Apps Account password to Manymoon.

The user is redirected to the Google Apps domain to approve sharing information with Manymoon.

Once approved, the user is redirected to Manymoon and is signed in and ready to work with selected accounts.

If you prefer an out-of-the-box solution, we have been working with JanRain, a provider of OpenID solutions that already supports the new API as part of their RPX product.


Supporting the API for Google Apps accounts is exciting news for the OpenID community, as it adds numerous new Identity Provider (IDP) domains and increases the OpenID end user base by millions. In order to allow websites to easily become Relying Parties for these many new IDPs and users, we defined a new discovery protocol. The protocol is designed to allow Relying Parties to identify that a given domain is hosted on Google Apps and to help provide secure access its OpenID Provider End Point. The current proposal is an interim solution, and we are participating in several standardization organizations, such as OASIS and the OpenID Foundation, to generate a next-generation standard. Since the current protocol proposal is not supported by the standard OpenID libraries, we provided an implementation of the Relying Party pieces at the Open Source project, step2.googlecode.com. Google is also offering a set of resources addressing the issues of designing a scalable Federated Login User Interface. You are welcome to visit the User Experience summary for Federated Login Google Sites page, where you can find links to demos, mocks, and usability research data.

You can find more details in our API and Discovery documentation, or join the discussions in the Google Federated Login API Group, where you can ask any question and get answers from other Identity Providers, Relying Parties and Google engineers.

The OpenID Federated Login Service is available for all Google Apps editions. However, it is disabled by default for the Premier and Education editions, and it requires the domain administrator to manually enable it from the Control Panel. We've enabled the service for our employees here at Google, and domain administrators — you can also enable it for your domain.

24 comments:

  1. This is great news! We have support for this announced for our site also at http://ow.ly/ioK2.

    Good work guys. An important step towards establishing OpenID as the standard for shared sign in.

    Ian Hendry
    CEO, WeCanDo.BIZ
    http://www.wecando.biz

    ReplyDelete
  2. Very interesting development; good work!

    Next up, can we see Google (Apps) accounts become a relying party, i.e. accept OpenID credentials from other OpenID providers? That would obviously be opt-in also but would encourage more widespread OpenID adoption.

    ReplyDelete
  3. We have been OpenIDed! :)

    This is awesome!

    ReplyDelete
  4. @Andrew: I also hope that Google Apps Domains will accept OpenID logins (becoming a relying party). Eg for reading semi-public Google Docs or internal wikis at Google Sites.

    ReplyDelete
  5. So how do you log into an OpenID site that doesn't specifically have a Google Apps login box?

    ReplyDelete
  6. This feature is great for Google Apps. Is there a overview of all sites I granted access? In Google Accounts you have My Account > Change authorized websites.

    ReplyDelete
  7. Quote "The OpenID Federated Login Service is available for all Google Apps editions."

    Yet Blog announcement email states

    Editions included:
    Premier and Education Editions

    Which is it?

    ReplyDelete
  8. Poor! It's not available for Standard Edition.

    ReplyDelete
  9. Yup, nothing on my Standard Edition...

    ReplyDelete
  10. good idea,be know how save up time have been more better.Gøod luck

    ReplyDelete
  11. good idea,be know how save up time have been more better.Gøod luck

    ReplyDelete
  12. Here is what is missing: augment the google account login process with an (optional, if you want) required one-time password using the RFC 4223 (OATH) standard.

    Why? Because if I'm going to leverage my google account login to login to a bunch of other web sites, then it's important to me to apply an extra layer of security that you get with two-factor authentication.

    There are software versions of OATH tokens for smart phones like the iPhone, so no hardware token would be required.

    ReplyDelete
  13. Oops, I meant RFC 4226 (not RFC 4223): http://www.ietf.org/rfc/rfc4226.txt

    ReplyDelete
  14. in the standard edition it is always active... you can't disable it.

    you have to enable it in premier and education.

    ReplyDelete
  15. You can get OATH and various other types of strong authentication (via SAML IdP to Google Apps) from 3rd party service providers. The www.myonelogin.com solution offers many multi-factor authentication options. A full list of MFA solutions can be found at the Google Marketplace:

    http://www.google.com/enterprise/marketplace/search?query=strong+authentication

    ReplyDelete
  16. How to embed googlewave in blog

    http://aspnetcsharp4.blogspot.com/2009/08/how-to-embed-googlewave-on-blogblogger.html

    ReplyDelete
  17. To view and manage the list of websites you granted access, simply go to: www.google.com/a/example.com/ManageAccount (replacing "example.com" with your domain) and click on the "Change authorized websites" link

    ReplyDelete
  18. Anything announced for individual Google accounts vs. a Google App account? Would love to see this feature extended/offered to individuals, allowing them to centrally manage their SaaS application credentials.

    ReplyDelete
  19. The Google Federated Login already existed for regular GMail accounts. This post just notes they not have it for Google Apps accounts as well now.

    ReplyDelete
  20. Good post congratulations.

    ReplyDelete
  21. I have issues running Step2's example. Can you provide me with an example code please.

    ReplyDelete
  22. When will Google let me use another OpenID provider (i.e., when will Google be a relying party)?

    There are much better providers out there than Google, which is plain old usernames and passwords. Personally, I use VeriSign PIP, which has two factor authentication using a wallet sized card that PayPal sells for $5.

    ReplyDelete
  23. Hmm still need integration for 3rd party openid providers....

    ReplyDelete