All geek questions in one place

How to restrict Google Federated Login in a specific application domain?

I want to implement Single Sign-on in a client application. The client posted the email through Google Apps. Since Google offers OpenID, this can be relatively easy to implement. However, the user may not be able to log into the correct Google account (or even multiple accounts).

Thus, when using the Google OpenID endpoint https://www.google.com/accounts/o8/id user is given the choice by which he or she wants to log in. Since the application will allow input from the Google Apps domain, this step may be skipped and should be increased for users. However, I could not find a way to do this. There is this question on SO, but the links are all dead or are outdated specifications. Also, I couldn’t find the hints in “Federated Login for Google Account Users” .

In some places, you should use https://www.google.com/a/[domain]/o8/ud?be=o8 , but this does not work (anymore):

 $ wget --header='Accept: application/xrds+xml' https://www.google.com/a/[domain]/o8/ud?be=o8 2012-01-24 09:29:53 ERROR 400: Bad Request.
+6
source share
1 answer

Although I could not find the official records, the endpoint for a specific Google Apps domain is the following:

 https://google.com/accounts/o8/site-xrds?hd=<domain>

When using this approach, keep in mind that you will come across a specific modification of Google:

Google has changed the way IdP and user XRDS are detected to check a little so that Google Apps users open the http://example.com/openid?id=108441225163454056756 format view without asking users to create their own openid servers. For small companies, people can get their openid under their domain with just a domain name if they use Google Apps. a source

+6
source

Source: https://habr.com/ru/post/906733/

More articles:


All Articles