Versions Compared

Old Version 48

changes.mady.by.user Bruce Hoff

Saved on

compared with

New Version 49

changes.mady.by.user Bruce Hoff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

I logged in using my sagebionetworks.com credentials, but got the same error again.

The problem is that I have not told GAE to delegate to Google Apps.

Went to appengine.google.com under the sandbox-sagebionetworks app
clicked 'Application Settings' then went to 'Add Domain'
entered 'sagebionetworks.com

got the message:
Your users can access sandbox-sagebionetworks at:
https://sandbox-sagebionetworks.appspot.com

Now it works!  I can go to
https://sandbox-sagebionetworks.appspot.com/, click on the link, and get "Hello, world"

I am signed in as bruce.hoff@sagebionetworks.com.

I click 'Sign Out' from Google Apps and try the app url again.
Unexpectedly I CAN get to 'hello, world' (no authentication)
I close all windows

I try to go to google.com/a/sagebionetworks.com and am prompted for a log-in.

Now I go to the app, click on the "Sandbox" link and am prompted for a log-in. (Yea!)

Logged out of Google Apps
https://www.google.com/a/sagebionetworks.com/
then returned to the app and was prompted for a log-in,
so authentication seems to be working.

Now to delegate authentication to Crowd:

Logged in to the control panel for the sagebionetworks.com domain and went to 'advanced tools'
https://www.google.com/a/cpanel/sagebionetworks.com/Advanced#Advanced/subtab=0
Went to 'set up single sign-on (SSO)"
https://www.google.com/a/cpanel/sagebionetworks.com/SetupSSO
and clicked "Enable Single Sign-on" then "Save changes"
Logged out.

Went to
sites.google.com/a/sagebionetworks.com
and got the modified Google log in reflecting that SSO is activated.
Clicked "Sign in to Sage Bionetworks"
and got the Crowd log in screen.
Did NOT log in but rather went to
https://sandbox-sagebionetworks.appspot.com
Clicked on 'Sandbox'
and went to the Crowd log-in screen!! (Success!!)
Entered user: nicole.deflaux, p/w: drizzle (avoiding my own, administrative credentials)
Successfully ran the "Hello world" servlet.

Summary:
Google App Engine (GAE) can be configured to delegate authentication to Google Apps (on our domain),
which can in turn delegate authentication to an external SAML-based Identity
Provider.  Moreover, the authentication requirement for the GAE services can be completely
managed in the web.xml file using <security-constraint> tags.

In principle we can create a collaborative platform including Google Apps, Google Groups,
and Google App Engine authenticating web services (e.g. Addama) in which users experience
single-sign on using their native credentials and externally managed passwords.

Notes

Q: What's the cumulative file size on the Sage SSH server?

...