...
Google Apps provides two APIs to help with authentication:
1. SAML Single Sign-On (SSO) Service: would allow *us* to create and maintain users and groups outside of Google.
http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html
2. Google Apps Provisioning API: would allow us to programmatically create Google users and groups in our private domain. This would streamline adding users to Google Apps. If we used it as a total solution, then the non-google app's (e.g. Addama) would have to go to google for authentication, which violates the 'arms length' integration requirement.
3. OpenID sounds like an alternative to SAML:
...
http://code.google.com/appengine/docs/java/users/overview.html
4. At times like this, faced with a moral dillema, I ask myself,
"What would Atlassian Do" (WWAD)?
4.1 Seraph is a very simple, pluggable J2EE web application security framework developed by Atlassian and used in our products.
...
http://code.google.com/googleapps/domain/open_source_projects.html#sso
Other Single Sign-On software:
Another alternative is "SSO Easy".
Enterprise Sign-on Engine:
http://esoeproject.org/
Other notes
- Sage SSH/SCP server authenticates using standard unix log-in.
Addama Authentication/Authorization
Some info here
http://code.google.com/p/addama/w/list
- Addama authentication is via Servlet filters using GAE User Service OR a Google API-key.
...