Hi Ambarish, The Identity Provider (IdP) i.e. your web application takes the responsibility of identifying the users and authenticating them. This is done in the sample IdP implementation by presenting a form to the user asking for credentials. On receiving a SAMLRequest, your application should do the same. On successful authentication, the username is included in the signed response sent by IdP and Google creates a session for that user. It is not required by Google to identify the user beforehand. Google relies on your IdP's response for the same as per SAML spec.
The public key is not used to sign but to validate the signed response. This was in fact the intended meaning of the statement in the SSO documentation. I agree it can be stated more clearly. To put it simply, the entire authentication process is delegated to your application while Google verifies the validity of your assertion using the public key. RelayState parameter is used for redirection after the SSO is complete. And yes, Sign-in page URL is the address of your IdP where Google redirects with the SAMLRequest. -Anirudh On Nov 27, 4:32 pm, ambarish <[EMAIL PROTECTED]> wrote: > Dear Tony, > > First, thanks for your responses. It clarified a lot. My responses and > further questions are inlined.... > > On Nov 26, 11:00 pm, "Tony (Google)" <[EMAIL PROTECTED]> wrote: > > > Hi Ambarish, > > > Please see the comments below for your questions. > > > 1) I don't believe you can specify arbitrary fields but you can make a > > request and examine the SAMLRequest parameters and cookies that are > > returned to see what attributes are included. > > AM: I tried out the sample client given in the SSO page. I could see > the SAML sample request. What I do not understand is: if the request > does not contain the user information, how can the request be > authenticated by the partner application where the request arrives. > > > 2) The public key of the partner should be uploaded by you to the > > Google Apps Admin Panel and will be used by us to verify your > > SAMLResponse. > > AM: I understand this. What I asked was: why we need the public key to > sign? As far as I think, the private key of the partner will be > required to sign. > > Question: In the Google APPS SSO page, the "Sign-in page URL" should > be present in the partner's domain? Is this the page where the SAML > request from Google will be posted? > > Regards, > Ambarish. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
