Enabling Google Apps for SSO (single sign-on) via SAML (Security Assertion Markup Language) definitely ups the ante in terms of IT resources that must be available to an organization. However, in exchange for the additional IT investment, extending Google Apps in this way saves users time logging in to the system and gives administrators one fewer user list to track.
SAML is an XML security standard for exchanging authentication and authorization data between security domains. Google Apps offers optional SAML-based authentication and authorization add-ons through partnerships with several vendors, including Sxip Identity and SSOCircle.
eWEEK font Labs used Sxip Identity software to integrate access to our Google Apps on-demand collaboration suite with our Microsoft Active Directory infrastructure to control access to the service without having to maintain a separate authentication store.
From the administrative console in Google Apps, we enabled SSO by providing a sign-in and sign-out URL for signing into and out of our systems and Google Apps. We also provided a change-password URL to let users change their passwords and a verification certificate that contained the public key for Gouge to verify sign-in requests.
For our tests, we used VWwares VMware Player to run a virtual machine provided by Sxip Identity. When a user started to log in to the hosted Google Apps, Google generated a SAML request and redirected the browser to the SSO sign-in URL that we configured as our identity provider—in this case, our Sxip Identity VM that wed integrated through LDAP with an Active Directory instance.
The Sxip Identity VM processed the SAML request and, when appropriate, authenticated the user and generated a SAML response. The response was verified by Googles Assertion Consumer Service, and then the user was logged in to the Google App.
There are a number of advantages to using an identity management system such as Sxip Identity with an on-demand service such as Google Apps. For one, with user authorizations piped through our in-house directory, we felt more certain about who was and wasnt using Google Apps than we did when we used the Google Apps administrative console as our sole authentication gatekeeper. This is primarily because we didnt have to remember to also check Google Apps when extending and retracting user authorizations.
Because Google is using the SAML standard to assist with user management, IT managers have choices in the vendors they may seek for these services. There are several open-source SAML identity providers, including the Central Authentication Service that was developed at Yale University (www.ja-sig.org/products/cas). There are several other university-originated projects, many of which have active user communities around them.
When using any of these identity providers, Google acts as the service provider offering services, including the eweekdemo.com start page that was the basis for our testing. Using SAML, Google Apps administrators can also turn to hosted or home-built identity providers to authenticate users who are trying to access secured content.