The Web Forms and MVC example identity providers demonstrate SP initiated single sign-on with Google Apps.
The following sections describe the configuration for the Web Forms identity service provider but, with the appropriate changes, apply equally to the MVC example identity provider.
Configuring the Identity Provider
The saml.config file includes the following entry for the Google Apps partner service provider.
<PartnerServiceProvider Name="google.com"
WantAuthnRequestSigned="false"
SignResponse="true"
SignAssertion="false"
EncryptAssertion="false"/>
The name matches with the issuer name Google Apps uses in the authn request.
The assertion consumer service URL specified in the authn request is used rather than configuring this URL. Alternatively, the assertion consumer service URL may be configured (e.g. https://www.google.com/a//acs">https://www.google.com/a/<domain-name>/acs).
Configuring Google Apps
Login as an administrator to the Google Admin Control Panel at:
https://www.google.com/a/https://www.google.com/a/<domain-name>
For example:
https://www.google.com/a/componentspace.com
Select the Advanced tools tab and under the Authentication section, click the Set up single sign-on (SSO) link.
Specify the sign-in page URL. This is the identity provider’s single sign-on service where the authn request is sent.
For example:
https://test.componentspace.com/ExampleIdentityProvider/SAML/SSOService.aspx
Specify the sign-out page URL. When the user signs out of Google Apps they are redirected to the sign-out page. Google Apps does not send a SAML logout request.
Specify the change password URL. The user is redirected to this page when they wish to change their password. This does not involve SAML.
Upload the identity provider's certificate.
For example: idp.cer.
Running Google Apps with SSO
In this example, the user is attempting to access a protected resource on the service provider and, rather than performing a local login at the service provider, SSO is initiated with a local login occurring at the identity provider and the asserted identity, passed to the service provider in a SAML assertion, is used to perform an automatic login at the service provider.
Browse to:
https://mail.google.com/a/https://mail.google.com/a/<domain-name>
For example:
https://mail.google.com/a/componentspace
You should then be presented with the identity provider login prompt.
Login using the user name and password of a user known to the identity provider. The user account should also exist in Google Apps.
You should then be presented with the Google Mail default page.
This means you’ve successfully completed a SAML v2.0 SSO and are logged in at Google Apps with your identity provider user name.
Troubleshooting Google Apps SSO
Refer to the Troubleshooting Single Sign-On (SSO) article in the Google Apps documentation.
Regards
ComponentSpace Development