Reputation: 119
Google Apps SSO with SAML 2.0 into Google+
My company is a Google Apps for Education customer and we provide our students the ability to log into their Google Apps accounts using their existing credentials. This is accomplished via SAML SSO to an endpoint which authenticates their existing application credentials. We're able to provide the users links to GMail, Docs and Calendar using the following URL syntax, per the google support documentation (under 'How does enabling SSO affect how users sign in?'):
https://<service>.google.com/a/<your_domain>.com
We're in the process of rolling out Google+ to our users and we haven't been able to find a way to link to Google+ that allows us to specify the domain to use for authentication. Without being able to do so, the user is prompted with the standard Google login page instead of our SAML SSO login page.
Using 'mail', 'docs' (or 'drive'), and 'calendar' as the <service> parameter in the above URL allows us to send to the user to the SAML SSO login page, but when we try to put 'plus' in as the <service> parameter, we get a 404 error.
Does anyone know if this is supported functionality for Google Apps customers using Google+? If so, what's the URL format to force a domain-specific login page?
Upvotes: 0
Views: 2465
Answers (1)
Reputation: 31
It took me a long time to figure this out, but here's how I solved it:
I found that if :
- I constructed the
oauthcall myself, and - passed in a
login_hintparameter where the value was an email address that would usually see my SAML screen. - It would then redirect to the correct screen automatically.
I found this parameter mentioned here.
login_hint
Even though that document recommends that you use google+ for login, I couldn't find a way to pass a login_hint to the google+ login button.
I tried for awhile to get the button to use that parameter, but then gave up and used gapi.auth.authorize. There I passed in the login_hint parameter, but only for the case where I want the SAML screen to show.
I found documentation for this here.
Unfortunately, as the documentation mentions, you won't be able to use some of the g+ features (like over-the-air installs) using this method.
In general:
I don't think it's currently supported by the google+ login button.
Upvotes: 2
Related Questions
- Implement SSO with Google SAML
- How to configure Single Logout when using Google Apps as the Identity Provider?
- SAML SSO to Google suite: "G Suite - This account cannot be accessed because we could not parse the login request."
- SSO implementation using Shibboleth with Google App Engine java
- How to use SSO with SAML2.0
- Google Apps SAML SSO with deflated response from IDP
- Write a SSO application on GAE
- Google Apps SAML SSO enabled but normal users still can login using google.com/a/domainame.com
- SSO, using Google Apps user database
- How do I use SAML for SSO with AD for Google-Hosted Services?