Can I from my website, once a user is authenticated, let him login into GMail, Google+, Youtube or other Google service skipping the login screen? Does Google's SSO work this way?
If this is possible, can this be done with my login and do the SSO on behalf of their account? Maybe through some authorization token they give me, instead of their passwords. I read about this about using the Google MCC for that.
Is all this possible?
IF
the user is a Google Apps user
AND
you provide a SAML IDP
AND
the Google Apps domain is configured to use you IDP
https://developers.google.com/google-apps/sso/saml_reference_implementation
Related
We are facing an web application integration challenge that I could describe in great detail but an example is easier. We would like to link accounts of 2 very separate applications exactly how spotify accounts can be linked to facebook accounts. I'm not referring to how you can create a spotify account with a facebook login but linking your spotify account with a facebook account when separate accounts exist.
My understanding of OAuth is that the authorisation / authentication tokens are stored on the end user device (browser / cookies, app storage on mobile etc.) and that it is secure. It seems to me that spotify seems to be storing facebook authorisation tokens on their servers which seems to me to be a large security risk. The reason why I think this is that after I link my spotify account to my facebook account it is linked regardless of which client / device is used.
I have tried to find out in the internet how this works and have also inspect the browser application storage but cannot find out much information this way.
I have a REST service that my mobile app uses to authenticate when the users click on the Facebook or Google icons.
The service accepts the user's id from the provider and checks if it exists on the database and then issues the access_token to be used for the other methods.
The problem is that I just thought that it could be pretty easy for someone to intercept the calls and discover which service authenticates and what the user id is and then call it with to get a token.
How can I avoid this?
I think you just need to separate the authentication and authorization functions. You can let Google (Google Sign-In) handle authentication. If you follow the API they will securely authenticate the user and send you the token which you can validate.
Once you know who they are for sure, your site can safely authorize that user approriately. For example, they might be an existing user, need to make an account, be an administrator. You can make those authorizations on your site based on the user authenticated by Google (in my example).
Twitter, Facebook and others do the same. Also see OpenID Connect.
Is there a way of passing username/ password to Google Apps IDP and get a response as to whether a username/ password pair is correct?
I know I can use OAuth for authorization and access user data but note that I want to check if his credentials itself are valid. OAuth for sure will not work for me. I need a way to directly query Google Apps' IDP particularly not to use it and access something else.
I wish to use this to customize the Google's standard login page itself. OAuth doesn't allow me to do that.
Short answer: no.
Google actively tries to prevent the scenario that you describe because it would mean that Google users hand over their Google credentials to your application, aka. phishing.
That precludes branding of the Google login pages as well since it would make it harder for users to verify that they actually type in their credentials on a login page provided by Google.
As said in the other answer, Google Signin with OpenID Connect (built on top of OAuth 2.0) is the standardized way to offer users login to your application with their Google account.
Google (Apps) accounts can be used as an OpenID identity provider. By implementing your app as as a relying party, you could authenticate your users based on their Google accounts. Much like stackoverlow Google login: http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
With SAML SSO, Google acts as a relying party. While its possible to use provisioning API and clientLogin, this is not supported and is possibly against Google Apps ToS.
I created an account in Google App. My normal (not admin) mail id is test#example.com. If I try to log-in to gmail.com with my test#exampl.com credential, I am getting error as given below.
It provides the link to my website to do SSO.
But if I am using google.com/a/example.com instead of gmail.com, I can log-in.
Then why Google says "It doesn't know your password".
This is the expected behavior for an SSO enabled domain. The user needs to authenticate via SSO.
Jay
We have enabled SSO for our Google Apps Domain. When users try to access "http://mail.google.com/a/domainname.com" they get redirected to the custom SSO Sign in page url. But when url http://google.com/a/domainame.com is accessed users are able to login to google apps users hub without being redirected to SSO sign in page url. As per my understanding, this kind of login should be only enabled for administrator of domain. Why is it happening for normal users of our domain.
How can we redirect http://google.com/a/domainname.com" url to custom sso sign in page. Please help. Thanks in advance.
You can't block people from logging into Google through 'local' credentials, if they know them: they need this for access via mobile devices, where you can't be redirected to a web page for SAML SSO, for example.
The normal solution is to change the password to something the user doesn't know.
Further, if you force 2-factor authentication for your users, this means a user can have one-time passwords for their mobile devices and still have an account password they don't know.
The www.google.com/a/yourdomain.com url points to google cpanel, which can never, ever be restricted through custom SSO, as this is your only recourse to disable SSO. If anything goes wrong, you need to hit that url to turn off SSO or change SSO settings.
If you wish to restrict access to cpanel, please look into organizations restrictions / superuser privileges; you can restrict cpanel superadmins to only one or two trusted admins.
If you wish to have only a single admin account with access to cpanel, but want to give some cpanel features to regular users, check out some third party apps in the google marketplace; gPanel is especially good as it gives you fine grained control over who can access what. Couple that with SSO, and you get a complete logging / monitoring / access control solution.