On Thu, Mar 27, 2008 at 8:19 AM, Alex (Google) <[EMAIL PROTECTED]> wrote:
> > Hi, > > The Google Apps implementation of SAML doesn't allow for direct > communcation between SP and IdP. It uses HTTP bindings, i.e. it > relies on the browser to be the conduit of messages between SP and > IdP. SAML is used very limitedly, only for sign in. There isn't even > a sign out service. > A 'Signout URL' for redirects would go a long way towards addressing this limitation, at least for explicit signouts rather than timeouts. > > One workaround is to launch Google Apps in a new window or tab, and > have a keep-alive web application which signs the user out (e.g. > forwards to a Google Apps sign out URL) if the IdP invalidates the > user. It's not foolproof since the user could simply close the keep- > alive page. Don't be tempted to frame the pages though - there have been technical problems with this and it's against the rules as well apparently. Sam > > On Mar 25, 7:35 am, swtet <[EMAIL PROTECTED]> wrote: > > When using SAML SSO, is there something that I can put in the response > > that will cause Google to validate the users identity again at a > > certain time? As the identity provider, I keep track of inactivity so > > I would like the Google apps to check back on occassion to make sure > > the user is still valid. Since I am fairly new to SAML, does this > > type of thing make sense to do or is there another way to accomplish > > this? If this is not the SAML way, any explanation about that would > > be helpful as well. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
