Designing for Google Apps Marketplace SSO Part 1 - Background

posted Mar 11, 2010, 10:04 AM by Geoffrey Kneller
One thing that becomes clear right away is that for your app to be accepted into Google Apps Marketplace, it must support Single Sign On using OpenID. How this applies to a Google Web Toolkit application written for Google App Engine isn't quite clear from the documentation: this blog post attempts to sort that out.

First off, it's important to consider some background on who the user will be in this scenario, and how they will be set up:
  1. The user will be someone from a business that has bought Google Apps Standard, Google Apps Premiere, or Google Apps Educational edition.
  2. The user's domain administrator will have purchased and installed your app for everyone in the domain. You can't, as far as I can tell, have an app for just some of the users in the domain: it's going to be deployed to everyone.
  3. The user already has a Google Apps account set up, with their user name / e-mail address, a nickname (perhaps their real name), and a password. They probably sign into it first thing in the morning to access their web-based e-mail and calendar.
  4. Authentication of the user may not be happening on a Google server; the user's organization may have set up authentication back to their organizational LDAP server.
How is sign-in of such a user with a Google Web Toolkit Google App Engine application written in Java managed? A servlet running on the App Engine server uses the Google Accounts API to do something like this:

// Check if the user is logged in 
if(userService.isUserLoggedIn()) { 
    // Get the current user 
    User user = userService.getCurrentUser(); 
    if(user != null) { 
        // Copy strings 
        String id = user.getUserId(); 
        String authDomain = user.getAuthDomain(); 
        String email = user.getEmail(); 
        String nickname = user.getNickname(); 

        // Copy admin status 
        Boolean appAdmin = userService.isUserAdmin();

And then the results could be sent back to the client as a response to an RPC. Sign-in can be enforced by making the appropriate additions to web.xml for the application.

The Google Accounts API gets you access to the user's Google account, but this isn't the same thing as OpenID. In order to meet the requirements for Google Apps Marketplace, we'll have more work to do.