Page Comparison

...

- We want to have full control over the UI (hence a custom approach using GWT instead of GoogleSites) but link to the relevant GoogleDocs and GoogleGroups and use the GoogleDocs UI and GoogleGroups UI when folks are interacting with those resources.

Analysis

There are just four components that need to perform authentication. (The others delegate authentication to the registry.) They are listed here, along with authentication options:

Addama registry GAE application (Google account, Google Apps account, OpenID federated authentication)

Google Apps (Google Apps account, SAML delegated authentication)

Google Group (Google account, Google Apps account)

Sage SSH server (standard unix login)

...

Use Cases

- create a google doc, share with the group.
- send a message to the group
- create an analysis, share with the group
- add a user to the platform
- add all users from a collaborating lab to the platform
- create user credentials for a new user, providing access to the platform
- give a user or a group of users access to an addama service

Analysis

There are just four components that need to perform authentication. (The others delegate authentication to the registry.) They are listed here, along with authentication options:

Addama registry GAE application (Google account, Google Apps account, OpenID federated authentication)

Google Apps (Google Apps account, SAML delegated authentication)

Google Group (Google account, Google Apps account)

Sage SSH server (standard unix login)

If the SSH server were eliminated (by migrating the hosted files to an Addama repository service) then a common denominator *might* be Google App account authentication, which in turn might be delegated to an external identity provider.

...

http://deflaux:8095/crowd/console/plugin/secure/saml/samlauth.action Sign-out Page URL: http://deflaux:8095/crowd/console/logoff.action Change Password URL: http://deflaux:8095/crowd/console/user/viewchangepassword.action DSA Key-pair Location: /var/crowd-home/plugin-data/crowd-saml-plugin

- Step 3. Configuring Google Apps to Recognise Crowd
Went to 42stories google app's console: https://www.google.com/a/cpanel/42stories.com/Dashboard
There is no "'single sign-on (SSO)' link."

Switched to sagebionetworks.com, which DOES have a premier version of Google Apps. Followed Atlassian instructions to set up SSO.

Note: To Disable: Go to -pair Location: /var/crowd-home/plugin-data/crowd-saml-plugin

- Step 3. Configuring Google Apps to Recognise Crowd
Went to 42stories google app's console: https://www.google.com/a/cpanel/42stories.com/Dashboard
There is no "'single sign-on (SSO)' link."

Switched to sagebionetworks.com, which DOES have a premier version of Google Apps. Followed Atlassian instructions to set up SSO.

Note: To Disable: Go to https://www.google.com/a/cpanel/sagebionetworks.com/SetupSSO, unclick "Enable Single Sign-on", then Save Changes.

Step 4, trying it out:

I created a user called 'ssotest' having the same password. Performed the 'Authentication Test' which was successful.

Now for a true test, connecting to Google Apps on bionetworks.com using 'ssotest':

Went to http://sites.google.com/a/sagebionetworks.com
Click on 'sign in to Sage Bionetworks'
Entered ssotest / ssotest
got "Google Apps - Invalid Email" error

I *can* log in to bruce.hoff. This is because
sagebionetworks already has a bruce.hoff

Added a 'mike.kellen' pw: ssotest to Crowd

It works!

Added 'nicole.deflaux', pw: drizzle to Crowd

It works!

Conclusion: GoogleApps delegates password management, but not user management!!

Went to groups.google.com/a/sagebionetworks.com

It works! I.e. google groups delegates authentication too.

Big open question: If Crowd aggregates two directories, both having a user called john_smith, then whose credentials are used to log in to Google Apps?

Tried running Nicole's demo. Result: Was prompted for regular (non-Crowd) credentials. So this demo doesn't automatically delegate when google apps does.

This might be due to how the application was deployed. The application is associated with the sagebase.org domain, i.e. it is visible at:

https://appengine.google.com/a/sagebase.org

at the authentication choice is "Google Accounts API: The Google Accounts API includes all Gmail Accounts, but does not include accounts on Google Apps domains."

Info on how to deploy to a domain is here:

http://code.google.com/appengine/articles/auth.html

Create a Google App Engine application using Google Apps accounts to log-in

Installed GAE plug-in for Eclipse. It includes SDK v. 1.3.8.

Created an app 'sandbox-sagebionetworks.appspot.com' set to authenticate against users in the sagebionetworks.com domain. Verified that the default app runs on the web.

Added a <security-constraint> to the web.xml and redeployed. Result: I get a "500 Internal Server Error" error when I click on the servlet link. In the appengine control panel error log I see the message:

"Authentication for the Google Apps domain sagebionetworks.com can only be performed when requests are served from a subdomain of that domain or it has been approved through the Google Apps Control Panel."

I logged in using my sagebionetworks.com credentials, but got the same error again.

The problem is that I have not told GAE to delegate to Google Apps.

Went to appengine.google.com under the sandbox-sagebionetworks app
clicked 'Application Settings' then went to 'Add Domain'
entered 'sagebionetworks.com

got the message:
Your users can access sandbox-sagebionetworks at:
https://sandbox-sagebionetworks.appspot.com

Now it works! I can go to
https://sandbox-sagebionetworks.appspot.com/, click on the link, and get "Hello, world"

I am signed in as bruce.hoff@sagebionetworks.com.

I click 'Sign Out' from Google Apps and try the app url again.
Unexpectedly I CAN get to 'hello, world' (no authentication)
I close all windows

I try to go to google.com/a/sagebionetworks.com and am prompted for a log-in.

Now I go to the app, click on the "Sandbox" link and am prompted for a log-in. (Yea!)

Logged out of Google Apps
https://www.google.com/a/cpanel/sagebionetworks.com/SetupSSO, unclick "Enable Single Sign-on", then Save Changes.

Step 4, trying it out:

I created a user called 'ssotest' having the same password. Performed the 'Authentication Test' which was successful.

Now for a true test, connecting to Google Apps on bionetworks.com using 'ssotest':

Went to http://sites.com/
then returned to the app and was prompted for a log-in,
so authentication seems to be working.

Now to delegate authentication to Crowd:

Logged in to the control panel for the sagebionetworks.com domain and went to 'advanced tools'
https://www.google.com/a/cpanel/sagebionetworks.com
Click on 'sign in to Sage Bionetworks'
Entered ssotest / ssotest
got "Google Apps - Invalid Email" error

I *can* log in to bruce.hoff. This is because
sagebionetworks already has a bruce.hoff

Added a 'mike.kellen' pw: ssotest to Crowd

It works!

Added 'nicole.deflaux', pw: drizzle to Crowd

It works!

Conclusion: GoogleApps delegates password management, but not user management!!

Went to groups/Advanced#Advanced/subtab=0
Went to 'set up single sign-on (SSO)"
https://www.google.com/a/cpanel/sagebionetworks.com/SetupSSO
and clicked "Enable Single Sign-on" then "Save changes"
Logged out.

Went to
sites.google.com/a/sagebionetworks.com

It works! I.e. google groups delegates authentication too.

Big open question: If Crowd aggregates two directories, both having a user called john_smith, then whose credentials are used to log in to Google Apps?

Tried running Nicole's demo. Result: Was prompted for regular (non-Crowd) credentials. So this demo doesn't automatically delegate when google apps does.

This might be due to how the application was deployed. The application is associated with the sagebase.org domain, i.e. it is visible at:

https://appengine.google.com/a/sagebase.org

at the authentication choice is "Google Accounts API: The Google Accounts API includes all Gmail Accounts, but does not include accounts on Google Apps domains."

Info on how to deploy to a domain is here:

http://code.google.com/appengine/articles/auth.html

Create a Google App Engine application using Google Apps accounts to log-in

Installed GAE plug-in for Eclipse. It includes SDK v. 1.3.8.

Created an app 'sandbox-sagebionetworks.appspot.com' set to authenticate against users in the sagebionetworks.com domain. Verified that the default app runs on the web.

Added a <security-constraint> to the web.xml and redeployed. Result: I get a "500 Internal Server Error" error when I click on the servlet link. In the appengine control panel error log I see the message:

"Authentication for the Google Apps domain sagebionetworks.com can only be performed when requests are served from a subdomain of that domain or it has been approved through the Google Apps Control Panel."

I logged in using my sagebionetworks.com credentials, but got the same error again.

The problem is that I have not told GAE to delegate to Google Apps.

Went to appengine.google.com under the sandbox-sagebionetworks app
clicked 'Application Settings' then went to 'Add Domain'
entered 'sagebionetworks.com

got the message:
Your users can access sandbox-sagebionetworks at:
https://sandbox-sagebionetworks.appspot.com

Now it works! I can go to
https://sandbox-sagebionetworks.appspot.com/, click on the link, and get "Hello, world"

I am signed in as bruce.hoff@sagebionetworks.com.

I click 'Sign Out' from Google Apps and try the app url again.
Unexpectedly I CAN get to 'hello, world' (no authentication)
I close all windows

I try to go to google.com/a/sagebionetworks.com and am prompted for a log-in.

Now I go to the app, click on the "Sandbox" link and am prompted for a log-in. (Yea!)

Logged out of Google Apps
and got the modified Google log in reflecting that SSO is activated.
Clicked "Sign in to Sage Bionetworks"
and got the Crowd log in screen.
Did NOT log in but rather went to
https://sandbox-sagebionetworks.appspot.com
Clicked on 'Sandbox'
and went to the Crowd log-in screen!! (Success!!)
Entered user: nicole.deflaux, p/w: drizzle (avoiding my own, administrative credentials)
Successfully ran the "Hello world" servlet.

Summary:
Google App Engine (GAE) can be configured to delegate authentication to Google Apps (on our domain),
which can in turn delegate authentication to an external SAML-based Identity
Provider. Moreover, the authentication requirement for the GAE services can be completely
managed in the web.xml file using <security-constraint> tags.

In principle we can create a collaborative platform including Google Apps, Google Groups,
and Google App Engine authenticating web services (e.g. Addama) in which users experience
single-sign on using their native credentials and externally managed passwords.

Authorize using SAML, Crowd

- Define a group in Crowd: Crowd defines the 'crowd-administrators' group.

- Add a user to a group in Crowd: the user 'bruce.hoff' is in the 'crowd-administrators' group.

- Add a user to a group in Google Apps: there is a group 'demo' having several members.

- See if access to services can be selected based on such group membership.

Note: Crowd does not see the google group 'demo'; Google Apps does not see the Crowd group 'crowd-administrators.

This suggests that the group definition component of authorization is not delegated by Google Apps.

The continuation of this experiment is to experiment with control of access via the Google Apps group.

Assuming that Google Apps groups 'authorize' access to Google Apps (doc's, sites, group threads, etc.),

then the two open questions are:

1) Can a web app (e.g. the Addama registry) perform authorization against the Google Apps groups;

2) Can group membership be controlled programmatically. (This is a minor need, since the Google Apps control panel allows administration of group membership.)

Connect GAE to Google Apps for group-based authorization, using 2-legged OAuth

To give the GAE app access to users and groups on the sagebionetworks.com domain, I went to
https://www.google.com/a/cpanel/sagebionetworks.com/ManageOauthClients
then returned to the app and was prompted for a log-in,
so authentication seems to be working.

Now to delegate authentication to Crowd:

Logged in to the control panel for the sagebionetworks.com domain and went to 'advanced tools'
https://www and entered
Client Name: sandbox-sagebionetworks.appspot.com
One or more API Scopes: https://apps-apis.google.com/a/cpanelfeeds/sagebionetworks.com/Advanced#Advanced/subtab=0
Went to 'set up single sign-on (SSO)"
group/#readonly, https://wwwapps-apis.google.com/a/cpanelfeeds/sagebionetworks.comuser/SetupSSO
and clicked "Enable Single Sign-on" then "Save changes"
Logged out.Went to
sites#readonly
the scopes came from:
http://www.google.com/support/a/bin/sagebionetworks.com
and got the modified Google log in reflecting that SSO is activated.
Clicked "Sign in to Sage Bionetworks"
and got the Crowd log in screen.
Did NOT log in but rather went toanswer.py?answer=162106

Result: Got the error:
This client name has not been registered with Google yet.

Followed the instructions here:
http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto.html

1. Went to here to register the app:
https://sandbox-sagebionetworkswww.appspotgoogle.com
Clicked on 'Sandbox'
and went to the Crowd log-in screen!! (Success!!)
Entered user: nicole.deflaux, p/w: drizzle (avoiding my own, administrative credentials)
Successfully ran the "Hello world" servlet.