Hi Arkesh,
The "series of steps" shown in the sample code is for your
understanding of how Google SSO works only. In production, when the
users click on a link (e.g. mail.mydomain.com) to Google mail on your
page (e.g. www.mydomain.com and I assume they are already
authenticated), they will get redirected to the login page you
specified in the Single Sign-on setting. It is your responsibility to
update the sample code to do the following:
* Check whether a user is already authenticated
o If no, display the login page and authenticate the user
o If yes, continue to the next bullet
* Retrieve the corresponding Google Apps username that maps to the
user's username used in your system
* Send the proper SAML response with the correct Google Apps
username
In a nutshell, your system needs to keep track of which internal user
account maps to which Google Apps user account. Also, it's your
responsibility to synchronizing your internal user account list and
the Google Apps user account list. One way to synchronize the two
lists is to use our "User accounts bulk update" feature. Please check
out the following article for more info:
http://www.google.com/support/a/bin/answer.py?answer=40057
Below is a sample login flow if you have a user with username "arkesh"
in your system and he is set up with a Google Apps account with
username "app.user1".
1. User goes to www.mydomain.com
2. User hasn't logged in yet and is redirected to the login page
prompting for username and password
3. User enters the correct username (i.e. arkesh) and password (the
one stored in your system, not Google Apps) and login to www.mydomain.com
4. User clicks on the custom mail link mail.mydomain.com (http://
www.google.com/support/a/bin/answer.py?answer=53340)
5. User is then redirected to the PHP login URL again (SAML request
is passed this time as the request is coming from Google Apps)
6. Your login logic should detect that the user has already logged
in (so no login prompt again), retrieve the right Google Apps username
"app.user1" for the username "arkesh" and generate the proper SAML
response.
7. User is redirected to mail.mydomain.com and since the user has
already logged in, he will get redirected straight to the mail inbox.
Please note that the login logics described in step 2 and 5-6 are for
different purposes. The login logic in step 2 is for authentication
to your website while the login logic in step 5-6 is for generating
the proper SAML response to Google if authentication done in step 2 is
successful. It is your design decision on how to package the logics
(some may add the SAML response logic to their existing authentication
code and some may keep them separate).
I hope this answers your questions.
Sincerely,
--Tony
On Sep 2, 8:16 am, Arkesh <[EMAIL PROTECTED]> wrote:
> Hi Friends,
> Thanks for your reply. As I find your project by intensive
> search on internet for Google apps SSO.
> At last I succeed by using PHP/Apache sample project which is
> uploaded at Google’s site. Now issue is I havewww.mydomain.com,which
> is consumed by many users. They are entering in the website using
> given username / password each separately. These people also given
> separately email address, which are built and administered by Google
> apps.As you know both application are separate.Even username/password
> of both application also different.
> We want to create such a system where people have only one
> username and password using that they can access theirwww.mydomain
> .com as well as their Google apps email.
> Now as per our sample project we can connect to Google apps
> email by series of steps of generating SAML requests.As you can see
> in above image , I succeed up to last step.After that I can enter in
> particular account. But as you know if want to redirect normal user
> (who don’t know anything about these steps ).How can we put link/icon
> likewww.inbox.mydomain.comorwww.mail.mydomain.com,inwww.mydomain.com
> website page??? So that upon pressing these links user can directly
> redirects to their email inbox.The important issue is that user should
> go directly to their inbox in single step,not series of steps.
> Any way you are master of technology. Can you guide me ???
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
