Versions Compared

Old Version 42

changes.mady.by.user Bruce Hoff

Saved on

compared with

New Version 43

changes.mady.by.user Bruce Hoff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

- What other SAML or OpenID identity provider (ip) tools (provding UIs and/or aggregating other ip's) are there?

- If we delegate user authentication on our domain using SAML (e.g., as described here http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html), then if we also have a Google App  Engine (GAE) application configured to authenticate via "Google Apps for your domain", will the authentication of the GAE app also be delegated via SAML?

- When Goole Apps authentication is so delegated, will authentication for Google Groups on our domain also be so delegated?  (Can delegated users be added to a Google Apps group?)

- When using SAML-based authentication, are new users only to be created in the 3rd party Identity Provider, or do they somehow have to be created in our Google Apps domainas well?

- Can Google Apps and Google Groups use OpenID (instead of SAML) for authentication?

- When using SAML-based authentication, are new users only created in the 3rd party Identity Provider, or do they somehow have to be created in Google Apps as well?

The answer should be "the former" but check out
http://confluence.atlassian.com/display/CROWD/Configuring+the+Google+Apps+Connector
If a user exists  in Crowd but not in Google Apps, then the user will not be able to log in to Google Apps. Can Google Apps and Google Groups use OpenID (instead of SAML) for authentication?

-Do we want to use google app's to see content we host elsewhere, or will google app's be the only place that doc's are stored in this 'sprint'?
 - Can "Google Group" membership be managed by an external authentication mechanism? (If not, then the google Provisioning API can create accounts for them in our domain.  Back-up alternative might be to use GMail + group alias rather than Google Groups for threaded discussions.)

...

- Set-up Crowd trial edition (where would it run?on local box or AWS)
- Change Google Apps demo domain to authenticate against Crowd
- Change/deploy GAE app, authenticating via Google Apps
- Add user to Crowd
-Try to access Google Apps via this user (e.g. make a document)

- Change/deploy GAE app, authenticating via Google Apps

- Try to log into to GAE app via this user
 (If not, can GAE OpenID option work with Crowd or can bypass UserService to use some sort of OpenID connector to reach Crowd?)
- Try to add user to a group in Google Apps
 (If not, then can use gmail OR can use Provisioning API to create account?)

...

It works! I.e. google groups delegates authentication too.

Tried running Nicole's demo.  Result:  Was prompted for regular (non-Crowd) credentials.  So this demo doesn't automatically delegate when google apps does.

Big open question:  If Crowd aggregates two directories, both having a user called john_smith, then whose credentials are used to log in to Google Apps?

...