Yes, that's the possibility - and actually, that's usually how most test implementations work. The idea is that Google will delegate authentication to you, so it's your responsibility to ensure that the user is properly authenticated to your network. If there's a flaw in your application that allows a user to authenticate as someone else, then there's the potential that an individual could access another user's mailbox. However, this "flaw" exists in most (if not all) SSO implementations. In any SSO infrastructure, not just SAML, you should never capture the password from the user, store it, and pass it on to other resources. Instead, you authenticate the user and generate a token that validates the user, then pass the token around to resources that trust that token, such as Google.
If you don't want to create your own SSO infrastructure, you can use an existing SSO implementation such as CAS (http://www.ja-sig.org/products/cas/) that is known to integrate with Google (and dozens of other applications), is stable, secure, free (open-source), and very customizable. Oh, and if it doesn't integrate with your application, and you can modify it's login process, you can integrated it with CAS yourself. -Ryan On Dec 23, 2007 11:55 AM, ByteCode <[EMAIL PROTECTED]> wrote: > > HI, > i have a question regarding sso , how does google know that the user > has a valid password? cuz i dont see any password submitted back to > google in saml response, in other words i may create a Login method > which always return the username which means the users is sucessfully > authenticated and anyone can login by just typing their username on my > sso page? > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
