<ahref="http://www.google.com/apps/"class="urlextern"title="http://www.google.com/apps/"rel="nofollow">Google Apps</a> can use <abbrtitle="Security Assertion Markup Language">SAML</abbr> to authenticate users, behaving as an <abbrtitle="Security Assertion Markup Language">SAML</abbr> service provider, as explained <ahref="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html"class="urlextern"title="http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html"rel="nofollow">here</a>.
<liclass="level1"><divclass="li"> An <ahref="http://www.google.com/apps/intl/en/business/index.html"class="urlextern"title="http://www.google.com/apps/intl/en/business/index.html"rel="nofollow">enterprise Google Apps account</a></div>
<liclass="level1"><divclass="li"> Registered users on Google Apps with the same email than those used by <abbrtitle="LemonLDAP::NG">LL::NG</abbr> (email will be the NameID exchanged between Google Apps and <abbrtitle="LemonLDAP::NG">LL::NG</abbr>)</div>
<p><divclass="noteclassic">This part is based on <ahref="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps"class="urlextern"title="http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps"rel="nofollow">SimpleSAMLPHP documentation</a>.
</div></p>
</p>
<p>
As administrator, go in Google Apps control panel and click on Advanced tools:
<liclass="level1"><divclass="li"><strong>Enable Single Sign-On</strong>: check the box. Uncheck it to disable <abbrtitle="Security Assertion Markup Language">SAML</abbr> authentication (for example, if your Identity Provider is down).</div>
<liclass="level1"><divclass="li"><strong>Sign-out page <abbrtitle="Uniform Resource Locator">URL</abbr></strong>: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: <ahref="http://auth.example.com/?logout=1"class="urlextern"title="http://auth.example.com/?logout=1"rel="nofollow">http://auth.example.com/?logout=1</a></div>
<liclass="level1"><divclass="li"><strong>Change password <abbrtitle="Uniform Resource Locator">URL</abbr></strong>: where users can change their password. Example: <ahref="http://auth.example.com"class="urlextern"title="http://auth.example.com"rel="nofollow">http://auth.example.com</a></div>
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button <code>Download this file</code>):
You should have configured <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as an <ahref="../../../documentation/1.9/idpsaml.html"class="wikilink1"title="documentation:1.9:idpsaml">SAML Identity Provider</a>,
<liclass="level1"><divclass="li"> In Manager, click on <abbrtitle="Security Assertion Markup Language">SAML</abbr> service providers and the button <code>New service provider</code>.</div>
<liclass="level1"><divclass="li"> Disable all signature flags in <code>Options</code> » <code>Signature</code>, except <code>Sign <abbrtitle="Single Sign On">SSO</abbr> message</code> which should be to <code>On</code></div>
<p><divclass="noteimportant">Change <strong>mydomain.org</strong> (in <code>AssertionConsumerService</code> markup, parameter <code>Location</code>) into your Google Apps domain. Also adapt your entityID to match the Assertion issuer: google.com/a/mydomain.org
You can add a link in <ahref="../../../documentation/1.9/portalmenu.html#categories_and_applications"class="wikilink1"title="documentation:1.9:portalmenu">application menu</a> to display Google Apps to users.
<liclass="level1"><divclass="li"><strong>Address</strong>: set one of Google Apps <abbrtitle="Uniform Resource Locator">URL</abbr> (all Google Apps product a distinct <abbrtitle="Uniform Resource Locator">URL</abbr>), for example <ahref="http://www.google.com/calendar/hosted/mydomain.org/render"class="urlextern"title="http://www.google.com/calendar/hosted/mydomain.org/render"rel="nofollow">http://www.google.com/calendar/hosted/mydomain.org/render</a></div>
<liclass="level1"><divclass="li"><strong>Display</strong>: As Google Apps is not a protected application, set to <code>On</code> to always display it</div>
</li>
</ul>
<p>
<p><divclass="noteimportant">Change <strong>mydomain.org</strong> into your Google Apps domain
Google Apps has a configuration parameter to redirect user on a specific <abbrtitle="Uniform Resource Locator">URL</abbr> after Google Apps logout (see <ahref="#google_apps_control_panel"title="documentation:1.9:applications:googleapps ↵"class="wikilink1">Google Apps control panel</a>).
To manage the other way (<abbrtitle="LemonLDAP::NG">LL::NG</abbr> → Google Apps), you can add a dedicated <ahref="../../../documentation/1.9/logoutforward.html"class="wikilink1"title="documentation:1.9:logoutforward">logout forward rule</a>: