We're happy to announce
that theGoogle OpenID Federated Login APIhas been
extended toGoogle
Appsaccounts
used by businesses, schools, and other organizations. Individuals in these organizations can
now sign in to third party websites using their Google Apps account, without sharing their
credentials with third parties.
In addition, Google Apps can now become an identity hub for
multiple SaaS providers, simplifying identity management for organizations. For example, when
integrated with partner solutions such as PingConnect fromPing Identity, the Google Open
ID Federated Login API enables a single Google Apps login to help provide secure access to
services like Salesforce.com, SuccessFactors, and WebEX — as well as B2B partners, internal
applications, and of course consumer web sites. SeePing Identity's postto learn more about their implementation and view
thedemo.
Another early adopter
isManymoon.com, a SaaS
project management vendor that implemented the Google Open ID Federated Login API directly to
make it easier for any organization using Google Apps to sign up for and deploy Manymoon to
their users:
In the Manymoon Login page, the user chooses to log in using a
Google Apps account
The user types in his Google Apps email address. The user never
gives away his Google Apps Account password to
Manymoon.
The user is redirected to the Google Apps domain to approve
sharing information with Manymoon.
Once approved, the user is redirected to Manymoon and is signed
in and ready to work with selected accounts.
If you prefer an
out-of-the-box solution, we have been working withJanRain, a provider of
OpenID solutions that already supports the new API as part of their RPX product.
Supporting the API for Google Apps accounts is exciting news for
theOpenID community,
as it adds numerous new Identity Provider (IDP) domains and increases the OpenID end user base
by millions. In order to allow websites to easily become Relying Parties for these many new
IDPs and users, we defined a newdiscovery protocol. The protocol
is designed to allow Relying Parties to identify that a given domain is hosted on Google Apps
and to help provide secure access its OpenID Provider End Point. The current proposal is an
interim solution, and we are participating in several standardization organizations, such
asOASIS and
theOpenID Foundation, to generate a next-generation standard. Since the current
protocol proposal is not supported by the standard OpenID libraries, we provided an
implementation of the Relying Party pieces at the Open Source project,step2.googlecode.com. Google is also offering a set of resources addressing the
issues of designing a scalable Federated Login User Interface. You are welcome to visit
theUser Experience summary for Federated
LoginGoogle Sites page, where you can find
links to demos, mocks, and usability research data.
You can find more details in our
API and Discovery documentation, or join
the discussions in theGoogle Federated Login API
Group, where you can ask any question and get
answers from other Identity Providers, Relying Parties and Google
engineers.
The
OpenID Federated Login Service is available for all Google Apps editions. However, it is
disabled by default for the Premier and Education editions, and it requires the domain
administrator to manually enable it from the Control Panel. We've enabled the service for our
employees here at Google, and domain administrators — you can alsoenable it for your domain.
In the Manymoon Login page, the user chooses to log in using a
Google Apps account
The user is redirected to the Google Apps domain to approve
sharing information with Manymoon.