Google Apps integration notes - SSO
Accessing Google Apps without single sign-on
Access to Google Apps by username and password after SSO has been enabled is possible at http://www.google.com/a/<google apps hostname> , for example:http://www.google.com/a/ubilogin.ubisecure.com
Accessing Administration settings
Access to the Google Apps administration console is also possible from the URL http://www.google.com/a/<google apps hostname> , for example:http://www.google.com/a/ubilogin.ubisecure.com
The link "Manage This Domain" is also shown in the menu bar of Administrators in the Google mail application.
First time use password initialization
If a user has never accessed Google Apps before, Google Apps will prompt the user to create a password. This password is used only when single sign-on is not possible.
Invalid email error
If a user tries to access Google Apps, but has not been created in Google Apps, the error "Invalid Email - We are unable to process your request at this time, please try again later." is displayed. The error is shown in Figure 1. The user must be added to Google Apps first. Bulk user creation is possible using the spreadsheet upload option.
|
|---|
| Figure 1. Invalid Email Error |
Login Credentials could not be verified
The error "This account cannot be accessed because the login credentials could not be verified" (shown in Figure 2) can indicate that either the email address format is incorrect, or the certificate uploaded to Google was incorrect.
|
|---|
| Figure 2. Invalid Login Credentials Error |
Check the settings of your authentication method to ensure the email address is sent in the correct format. The SAML NameID must be in the format username@googleappsdomain
Why isn't the Change password URL working?
According to Google, changes to the Change password URL in SSO Settings take about an hour to become effective.
Logout limitations
Google Apps only supports the initiation of a SAML single logout using the Google logout link.
The Google logout link is found in the top left of most applications, for example:
http://docs.google.com/a/ubilogin.ubisecure.com/logout
However, Google Apps does not currently offer a SAML logout endpoint. If it is desired that users are also logged out of Google when completing a single sign session is complete, all non-Google initiated sign out links should contain the Google logout link in the ReturnUrl address.
https://keith17.ubisecure.ubi:8443/uas/logout?returnurl=http://docs.google.com/a/ubilogin.ubisecure.com/logout
Logout page text should be adjusted so that users are instructed to press the continue link. This screen will appear twice while logging out. Adjust custom/uas.properties accordingly:
LOGOUT_COMPLETED = Logout is in progress. Please press continue to complete the logout process.
Please contact Ubisecure for the latest information regarding this limitation. Google is expected to offer SAML logout in the future.
Google Apps Partner Page
Google Apps Partner Page allows service providers to offer a customized version of Google Apps to service subscribers. The default home page
http://partnerpage.google.com/googleappsdomain
supports the SAML passive login ( isPassive="True") to allow unauthenticated users also access to the iGoogle style homepage. Ubisecure SSO supports this configuration.
For more information, please refer to:
http://www.google.com/a/help/intl/en/partners/index.html