Referencing Google Classroom SAML Identity Provider - saml

We're interested in integrating our application with Google Authentication via SAML for online education applications. In this application, we're interested in the following:
having Google provide authentication/identification of users against a customer's directory (only their directory, not all of google).
receiving role information that describes the user's role (Teacher, Student, etc.)
eventually retrieving roster information that describes the relationship of users in the system and their classes.
Our intent is to support Google Classroom customers. I'm looking for a good reference & have open questions after perusing Google's G Suite info. Can you point me to good resources or provide some insight?

Related

API Authentication - Clients (consumers) vs. local users

I work for an ecommerce site and we are looking to expose much of our core functionality via a set of APIs. We plan on re-writing some of our own public facing applications (e.g. the main shop website and our mobile app) to call these new APIs also. We also want to offer some of these APIs out to third-parties who want to integrate with us.
My first question is - what is a suitable authentication method for these APIs? Everything I read is about OAuth, but am I right in saying that this doesn't fit in this case as we're not looking to use another log in system (e.g. Facebook, Google) but rather restrict access to our own API (so maybe an API key or JWT solution would be better?)
Secondly, our current website has it's own user accounts system. How do you offer /user endpoints (like GET user/1235/paymentmethods) in an API like this? Surely the actual user (website customer) needs to authenticate somehow in order for the given API consumer to access their data.
I've spent the last 2 days reading about this but I'm at a loss as to how to go about this! Any help much appreciated.

Is it possible to use youtube analytics Api in that way?

Hi i create application that is common to youtube and i`ve got some questions. I use google login(oAuth), so i keep in my database all things required to use google APIs for every user that wants to log in. The question is if i can use(is it possible and legal) google analytics to get info(like gender of people which shows his/her video or age or region) about every user that is loged in to my application and show it to another users which using my application ?
edit:
I do not know if you understood me well, user log in to my app with his google account, i have in my database his google token, etc. In my application all users have got youtube account and now what i want to do is that if you are log in, you can see user`s statistics from youtube(like the gender of people who watch his/her video and what is thier age) for any user registered in my app. There is a youtube analyse api, which alow you to get your account stats, and if i have access to someone`s google account(i keep toke in my datbase), i couldnt just use it to request that analyse api for every user and in that way get access to their stats. And another question is if i get data in the way that i described(of course if it is possibe), is it legall, if i can display such an info to other users not only to the owner of the account?
Thanks for help
Is it legall, if i can display such an info to other users not only to the owner of the account? Thanks for help
If you are authenticating a user to get access to their Private data. It is your responsibility as a developer to ensure that their data remains private. You should not be sharing data between your users without there express permission.
If the data you are accessing is public then you are allowed to display that data with anyone.
Remember when you created your google developer console account you agreed to this Google APIs Terms of Service
b. Compliance with Law, Third Party Rights, and Other Google Terms of Service
You will comply with all applicable law, regulation, and third party rights (including without limitation laws regarding the import or export of data or software, privacy, and local laws). You will not use the APIs to encourage or promote illegal activity or violation of third party rights. You will not violate any other terms of service with Google (or its affiliates).
d. User Privacy and API Clients
You will comply with all applicable privacy laws and regulations including those applying to PII. You will provide and adhere to a privacy policy for your API Client that clearly and accurately describes to users of your API Client what user information you collect and how you use and share such information (including for advertising) with Google and third parties.
You may also want to read Privacy policy

Google Classroom APIS: Read Announcements, Questions and Assignments within courses

I am reading Google Classroom Rest APIs and not getting clear answers as to how can I get full access to specific course including Announcements, Questions and Assignments.
Use Case:
Lets say we get all the courses using: List
and Students List
Now, How can I get all the Students Announcements, Questions and Assignments posted in specific course.
Is there a Google+ apis that we can use injunction with Classroom or just Classroom apis that we can use to access this critical information?
I am trying to merge existing platform with google classroom and its very critical to have access to this information so that all student submissions are in sync.
Thanks.
The Classroom API does not have the functionality you are referring to. From the documentation:
The Classroom API provides a RESTful interface for you to manage
courses and rosters in Google Classroom.
All it currently does is allow you to manage a list of courses, their teachers, and their students.
If you want manage additional data such as Assignments, you'll need to build that functionality yourself. The Drive API and Google Apps Script may be of assistance in storing and sharing files and documents.
probably you have found by now else FYI.. Google has released a new set of APIs to manage assignments under ManageCourse-work
https://developers.google.com/classroom/

Does Salesforce's REST API have a service accounts

I'm trying to interact with the Salesforce REST API for an organisation, and was wondering if it had any notion of Service Accounts or Application Owned Accounts. I can't find any mention of it in the documentation, but maybe they use different nomenclature.
I'd like to enable some form of domainwide delegation of authority, so users aren't faced with the pop up requesting access to their data. This is an internal app, only for this particular organisation.
No, there are not service accounts. There are 'Chatter' user licenses that are free but have reduced functionality: http://www.salesforce.com/chatter/getstarted/?d=70130000000tRG7&internal=true#admin
FAQ: http://www.salesforce.com/chatter/faq/

An IdP/STS for SaaS providers, where the SaaS customer does his own user management?

(This question is not about programming, but about how to avoid doing any programming. Also, lots of terminology in here-- I'm assuming someone with an answer will already know what they mean.)
Background: I'm working on single sign-on in an environment with 'federated identity'. We have several products that are federation-aware (using, e.g., WS-Federation or SAML protocol, implemented with, e.g., WIF on .NET and Fedlet on Java), and they are offered to customers using a SaaS model. Many of those customers don't have their own store of usernames/passwords, so they will not run an "identity provider" themselves.
Question: Is there a product out there that
can be installed at the SaaS provider;
plays the role of an IdP/STS (i.e., identity provider in a federated enviroment) to the SaaS-provided applications;
has its own username/password store, separately for each SaaS customer ("tenant");
allows the SaaS customer to do his own user management, without requiring assistance from the SaaS provider.
(We could build this ourselves, e.g., as a custom STS on top of WIF with user admin screens, but we're trying to avoid that. It's not really our core business.)
Have you had a look at Google app engine ?
They support SAML, so you can use them as your Idp.
So we did not find a product that fulfills all these requirements.
What we decided on was to use AD FS 2.0 as the SaaS IdP/STS, store usernames/passwords in AD (making the SaaS customer name part of the username), and customize the AD FS sign-in page linked to a custom web application for user management and user self-service.