Wednesday, September 17, 2008

lessons from setting up Google Apps with Single-SignOn

Here are my lessons learned from setting up Google apps with Single-SignOn, where I can manage email and contact settings via an API.

search for "google apps"; be sure to "compare editions"
  • - provisioning via API
  • - email migration API
  • - contact/doc sharing

Purchase & Configure
  • - free for a month (temporarily?)
  • - they verify you own it (HTML file or CNAME change)
  • - for mail, you set them with the MX records
  • - asynchronous setup steps

Provision New Accounts
search for "google apps apis"; look around for "client libraries" and "sample code"
  • - we really only need the "samples" codebase to show how to use their libraries
  • - peruse the INSTALL and README files
  • - after editing some properties, you can create/delete users; here's a huge test:
  • ant -f appsforyourdomain.xml
  • - I commented out the call to 'deleteUser' so I could see the effect in the UI

Enable SSO (Single-SignOn)
  • - look at how to enable it in the admin area
  • - read links to SSO docs as you do things; I had to read a ton of things in their proper contexts before it started making sense

SSO Attempts
  • - open source projects:
  • - Shibboleth: error in IdP, but it worked after tweaking build.xml; unable to install SP, so I stopped
  • - JOSSO: easy to get sample up and running; unclear how to wire to Google, so I stopped
  • - ESOE: didn't even try it
  • - Google has best basic example as Java JSP project in "client libraries" and "sample code":
  • - Google instructions, which are awesome (from README in download):

Lessons Learned during SSO Attempts
  • - use this reference for key generation:
  • - many lessons about keys and certificates: private key vs. public key vs. certificate
  • - keytool stores things in home directory, protected by a password
  • - openssl generates artifacts via stdout or to files you specify
  • - Google tutorial doesn't explain how to change the SP URL (to your google apps domain). I've modified their v1.0.1 JSP code, so in my version you only need to change the domain name in the "saml_demo.jsp" file.
  • - Furthermore, I was able to create a one-step, single link that logs you in automatically. You'll have to contact me directly if you want this.