Hello, I succeeded to make it work. I didnt ask for "login:required" because i just need one webpage to be secured (one handler for this page which asks for openid authentication before showing content).
But now, I have a problem with the authentication and redirection. Use case : - user go on the Google App Engine Application homepage (http:// example.appspot.com), when he clicks to go on the second webpage (secured one) - he is asked to choose his Google Apps domain (his provider) by clicking on a link - then he is redirected to the the login url formatted thanks to the providers chosen (ie : www.google.com/accounts/o8/site-xrds?hd=example.com) - he is redirected to google which will redirect him to the SSO company page (because the Google Apps domains use SSO for the whole company users, and for all domains) - he authenticate himself on the SSO company page - he should be redirected to the Google app engine secured page after success however, he gets a Google webpage with "The page you requested is invalid" Two things to know also : if after that, he re-do everything : go to the homepage, click on the secured page link, then click on the provider, he will access the secured page automatically (authentication has been successful before, even if the redirection shows a Google page with "The page you requested is invalid") if he opens another tab with Gmail, then no need to authenticate, Gmail shows the emails inbox (authentication has been successul before...) So I look at this problem and I've found this : http://www.google.com/support/forum/p/apps-apis/thread?tid=39a0dedd82b472ec&hl=en I tried the website : http://www.puffypoodles.com/lso2 I get the same error at first with the Google page "The page you requested is invalid" after authentication on the SSO company webpage. So as it is said by the Google employee, it should be a Google Endpoint issue : "To verify that there isn't an issue with OpenID on your test domain, can you try logging in via OpenID using the test site (puffypoodles.com)?[1] If login on this site works, there must be a problem with the code. If it does not work, there is probably an issue with the Google OpenID endpoints." Where is my mistake here ? I dont really get the Google OpenID enpoints issue. Thanks in advance, Antoine On 2 fév, 00:11, Robert Kluin <[email protected]> wrote: > HiAntoine, > Glad you got that figured out. > > You should be able to have login required on your apps, just as > before. You'll just need to be sure to define a handler for > login_required (as is explained in the article). Note that you won't > get redirected to it on the dev server, so you'll need to directly go > to the url to test it out. > > Robert > > > > > > > > On Wed, Feb 1, 2012 at 04:42,Antoine<[email protected]> wrote: > > Ok, I ve found out. > > > this should be the URL for Google Apps domains : > > >www.google.com/accounts/o8/site-xrds?hd=example.com > > > On Feb 1, 4:59 pm,Antoine<[email protected]> wrote: > >> Thank you for your answer. > > >> I tried to follow this tutorial (I dont know why I didnt find it > >> before... :s ). > > >> However, I have a question left. > > >> I decided to let the user choose his domain by clicking on his domain > >> link. > > >> I deleted the "login required" in app.yaml and modified my main.py > >> such as... > > >> My python looks like : > > >> ------------------------------------------- > >> # > >> #code > >> # > > >> providers = { > >> 'prov 1' : 'google.com/a/domain.com', > >> 'prov 2' : 'google.com/a/subdomain1.com', > >> 'prov 3' : 'google.com/a/subdomain2.com' > >> # add more here > > >> } > > >> # > >> #code > >> # > > >> else: > >> self.response.out.write('Hello world! Sign in at: ') > >> for name, uri in providers.items(): > >> self.response.out.write('[<a href="%s">%s</a>]' % > >> (users.create_login_url(federated_identity=uri), name)) > > >> # > >> #code > >> # > > >> ------------------------------------------- > > >> However links are not redirecting user... > >> I guess it should work, if you do this yourelf, that each Google Apps > >> domain should be used as a direct provider federated entities ? > > >> What should I do to have Google Apps domains login page after clicking > >> on a link (and get redirection to my app after authentication against > >> Google, of course) ? > >> I guess I dont have the right link/approach because, with myopenid.com > >> it's working (redirecting). > > >> thx in advance > >>Antoine > > >> On Jan 31, 1:34 pm, Robert Kluin <[email protected]> wrote: > > >> > HeyAntoine, > >> > Use OpenID / Federated login. You can provide users with a list of > >> > subdomains, or check them against that. I usually either give users > >> > the option to enter their domain or email address (from which I can > >> > deduce the domain), then redirect them to the proper page. It is > >> > pretty straight forward to do. > > >> > I think Wesley's article on federated login provides all the basics. > >> > http://code.google.com/appengine/articles/openid.html > > >> > Robert > > >> > On Sun, Jan 29, 2012 at 22:57,Antoine<[email protected]> wrote: > >> > > Hi everyone, > > >> > > I am working on a simple application (actually a website) on Google > >> > > App Engine. > >> > > This application should be accessible only for a selected Google Apps > >> > > domains list. > > >> > > These domains are corporate Google Apps subdomains. One Google Apps > >> > > account domain handle several subdomains, one for each business unit. > > >> > > I would like to restrict my apps to those domain. > > >> > > However, there is only 3 ways to secure my app (Application Settings / > >> > > Authentication Options in Google App Engine Console) : > >> > > - Google Accounts API > >> > > - Google App Domain > >> > > - Open ID (Federated Login) > > >> > > For the first one, it can work, however, as we are using Federation > >> > > Login for all Google Apps domains, we dont want the user to login > >> > > twice : one on the Google Account Sign-in webpage which is displayed > >> > > automatically when we choose Google Accounts, and then on the > >> > > federation page. > >> > > Because with this Google App Engine authentication, the user is first > >> > > redirected to :http://accounts.google.com > >> > > then enter its credentials Google Apps, then Google tell him that > >> > > federation is working for this domain so he just need to Click to be > >> > > redirected. > >> > > This is not user friendly. > > >> > > Second one, works only with one Google App Primary domain. Subdomain > >> > > doesnt work with this feature... > > >> > > Maybe third one, Open ID/ Federated login, can work, but how ? > > >> > > Thx > >> > >Antoine > > >> > > -- > >> > > You received this message because you are subscribed to the Google > >> > > Groups "Google App Engine" group. > >> > > To post to this group, send email to [email protected]. > >> > > To unsubscribe from this group, send email to > >> > > [email protected]. > >> > > For more options, visit this group > >> > > athttp://groups.google.com/group/google-appengine?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google App Engine" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
