Integrating Google Apps with OpenSSO

About Google Apps

Google Apps is a service provided by Google.  If you have a Premier Edition Google Apps account, you can enable access to Google web applications such as Gmail, Google Calendar, Google Docs, and Google Video, to name just a few, to users in your enterpise domain. Use this workflow to integrate Google Apps with OpenSSO in a single sign-on environment.

To integrate Google Apps with OpenSSO, complete the following steps.  Detailed instructions are provided in the sections below.

  1. Create a hosted Identity Provider and Circle of Trust.
  2. Create an OpenSSO user.
  3. Configure OpenSSO to work with Google Apps.
  4. Configure Google Apps Single Sign-On.

Before You Begin

Before you can configure Google Apps to work with OpenSSO, the following conditions must be met:

To Create a Hosted Identity Provider and Circle of Trust

If an Identity Provider and Circle of Trust already exist, skip to the section Configure OpenSSO to work with Google Apps. If an Identity Provider and Circle of Trust does not already exist, follow these steps. 

  1. Log in to OpenSSO as amadmin.
  2. On Common task tab,  click  "Create Hosted Identity Provider."
    1. On the "Create a SAMLv2 Identity Provider on this Server" page, accept all default values provided for metadata Name and Signing Key.
    2. Click Configure.
    3. After both Identity Provider and Circle of Trust have been created, click the Common Task tab.

For more information about configuring an Identity Provider, creating a Circle of Trust, and implementing single sign-on, see the Sun OpenSSO Documentation.

To Create an OpenSSO User

In this procedure, create an OpenSSO user with the same name as the user created on Google Apps.

  1. Click the Access Control tab.
  2. Click Top Level Realm > Subjects.
  3. On the User page, enter the same user id same as Google Apps user name.
  4. Provide the user's Last Name and Full Name.
  5. For User Status, select Active.
  6. Click Save.

To Configure OpenSSO to Work with Google Apps

  1. In the OpenSSO administration console, click the Common Tasks tab.
  2. On the Common Tasks tab, click Configure Google Apps.
  3. In the "Configure Google Apps for Single Sign-On" page, provide the following information:
    • Realm
      Choose the realm Google Apps will access for authentication.
    • Circle of Trust
      Choose the Circle of Trust Google Apps will access for authentication.
    • Identity Provider
      Choose the Identity Provider Google Apps will access for authentication.
    • Domain Name
      The domain name comes from your Google Apps account.
      According to Google Apps, the domain name is usually the identifier associated with your organization's email address (like @ example.com). The domain name you provided for your Google Apps account is used for all your Google services. For example, if you chose example.com or mail.example.com, you will be able to create user accounts for john@example.com or jane@mail.example.com.
      If you do not already have a Google Apps account, you must create one now. Go to http://www.google.com/apps/intl/en/business/index.html, and follow the instructions for creating a Premier Edition Account.
  4. Click Create. Upon successful creation, click OK.
  5. The Google Apps Single Sign-On Configuration page provides information you must supply to Google Apps.
    1. Save the following URLs  provided on this page before proceeding to Google Apps Single Sign-On setup:
      • Sign-in Page URL
      • Sign-out Page URL
      • Change Password URL
    2. To download the  Verification Certificate, click "Click here to download."  Save the text file that is automatically created for you.
    3. Log out of OpenSSO Console.

To Configure Google Apps Single Sign-On

  1. Go to http://www.google.com/apps/intl/en/business/index.html, and click the Premire Edition link.
  2. Go to the Google Apps Dashboard, and log in to your control panel as a Google Apps administrator.
  3. Click the Advanced Tools tab,  and then click the Set up Single Sign-on (SSO) link.
  4. Mark the Enable Single Sign-On checkbox.
  5. Copy the URLs from OpenSSO and paste them in the Google Apps setup screen.
    • Sign-in Page URL
    • Sign-out Page URL
      By default, OpenSSO appends the OpenSSO login page as a redirect target. You can customize this target, or omit it, to suit your needs.
    • Change Password URL
  6. Upload the text file you saved configured OpenSSO to work with Google Apps.  Upload the file to the Google Apps Verification Certificate.
  7. Save the changes in the Google Apps setup screen.
  8. Log out of Google Apps.

For more information about Google Administrative APIs, see http://www.google.com/support/a/bin/answer.py?hl=en&answer=60757.

To Verify that Single Sign-On Betwen OpenSSO and Google Apps Works

  1. Go to Google Apps Dashboard.
  2. Enter the Domain name , and select "Go to Email" from drop down box. Click Go.
  3. Google Apps will redirects the user to the OpenSSO login screen. Enter the user name which you created on OpenSSO side.
  4. After successful authentication, the Gmail inbox will be loaded.
  5. To log out, click the Logout link.
    You are logged out of both  Google Apps and OpenSSO sessions. side. TheOpenSSO login screen is displayed.

Troubleshooting Google Apps Integration

Verify that the URLs and Verification Certificate in OpenSSO are the same as URLs and Verification Certificate you copied to the Google Apps Single Sign-On setup page.
In This Article
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (1)

 

  1. Sep 07

    frondev says:

    Great article, it worked for me although make sure you're using the latest versi...

    Great article, it worked for me although make sure you're using the latest version of OpenSSO Express (Build 8) I was using Build 6 and it didn't have the nice "Configure OpenSSO to work with Google Apps" wizard.

    I'm trying to go the next step and looking to integrate Active Directory with Google Apps using OpenSSO. The use case is to login using my AD username (which is NOT the same as my Google Apps username) and automatically SSO to Google Apps. I was able to get the AD authentication module working but when I use OpenSSO to authenticate the SAML response to Google always seems to pass my AD user id (cn) and not my AD (e-)mail address to Google even though I've configured OpenSSO to pass the AD user profile "mail" attribute, i.e. under Federation -> CoT Config - Entity Providers - http://localhost:8081/opensso (my hosted IDP) -> Assertion Content - NameID Format I have "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" in my NameID Format List and "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=mail" in my NameID Value Map. From reading the docs my understanding is that this will configure the IDP to pass the user profile's mail attribute as the NameID but for some reason the Google Apps SSO ignores this setting and I don't know why? What am I doing wrong?

    BTW I have followed a similar approach and successfully achieved Salesforce SSO by passing the mail attribute in NameID based on the Sun blog entry http://blogs.sun.com/rangal/entry/saml2_salesforce_com so there must be a difference between the way Google Apps and Salesforce achieve their SAML 2.0 SSO.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact