search

jankeirse / tvhgooglemapi

Simplemapi provider for Google Mail (both gmail and google apps)
http://jankeirse.github.io/tvhgooglemapi/
Apache License 2.0
20 stars 10 forks source link

Support for SSO with Samle #19

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.Send as attachment from powerpoint
2.prompted for google credentials
3. attempt to enter email only in order to get redirected to sso login

What is the expected output? What do you see instead?
Expected to be prompted for login, Instead I get invalid password

What version of the product are you using? On what operating system?
8.1 windows 7

Please provide any additional information below.

Original issue reported on code.google.com by jason.sc...@jmfamily.com on 31 Jul 2014 at 12:12

GoogleCodeExporter commented 9 years ago 
SAML

Original comment by jason.sc...@jmfamily.com on 31 Jul 2014 at 12:13

GoogleCodeExporter commented 9 years ago 
This is not possible: 
https://developers.google.com/google-apps/help/faq/saml-sso#nonweb
However, you can use an application specific password: 
https://support.google.com/mail/answer/1173270?hl=en

Original comment by jan.kei...@tvh.com on 31 Jul 2014 at 12:16

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago

Original comment by jan.kei...@tvh.com on 31 Jul 2014 at 12:18

GoogleCodeExporter commented 9 years ago 
What is not possible? Why wouldnt you just use Oath or leverage the active 
session within chrome that already exists. I have several other apps that do 
this all the time.

Original comment by jason.sc...@jmfamily.com on 31 Jul 2014 at 12:21

GoogleCodeExporter commented 9 years ago 
SAML is not possible in combination with IMAP. SAML is a HTTPS protocol. IMAP 
is used to do the email upload and it doesn't run over HTTPS. 

In theory it could use oauth, using the web browser for the authorization, but 
that is not SSO and would not involve SAML (it wouldn't even work any different 
whether SAML SSO is enabled or not.) 
However I don't see an advantage in this over using an application specific 
password, since the oAuth secret would be available on the machine in exactly 
the same way as the application specific password.

Original comment by jan.kei...@tvh.com on 31 Jul 2014 at 3:26

GoogleCodeExporter commented 9 years ago 
Two reason. 1. There is no support for 2 factor or application specific 
passwords when SSO is enabled. 2. Our users do not know their Google password 
and are always sent to our SAML provider for authorization.

Original comment by jason.sc...@jmfamily.com on 31 Jul 2014 at 5:30

GoogleCodeExporter commented 9 years ago 
Maybe I will take a shot at adding the oath support. Not a java developer but I 
am good at reuse of examples. :)

Original comment by jason.sc...@jmfamily.com on 31 Jul 2014 at 5:31

GoogleCodeExporter commented 9 years ago 
I am guessing I need to start here

https://developers.google.com/gmail/oauth_overview

Original comment by jason.sc...@jmfamily.com on 31 Jul 2014 at 5:36

GoogleCodeExporter commented 9 years ago 
Before you should start you may want to read this: 
http://www.theregister.co.uk/2012/07/28/oauth_editor_quits/
If you decide to go on anyway (oauth to google is not so bad as oauth to 
anything, they've done their best to make it usable) you should also look at 
this: https://code.google.com/p/java-gmail-imap/
That's the imap library I used, the website explains how to do oauth, including 
examples.

Original comment by jan.kei...@tvh.com on 1 Aug 2014 at 7:22

GoogleCodeExporter commented 9 years ago 
As for:
> 1. There is no support for 2 factor or application specific passwords when 
SSO is enabled. 
At least last time I tried (we have SSO ourselves) you can enable 2 factor 
authentication (here: https://www.google.com/settings/security) , it just isn't 
used because the login always goes through SSO. But if you enable it anyway, 
you can generate application specific passwords for use with IMAP. 

> 2. Our users do not know their Google password and are always sent to our 
SAML provider for authorization.

If you are using Active Directory you could use this: 
https://support.google.com/a/topic/2611858?hl=en&parent=14588&ctx=topic to sync 
the password hash from Active Directory to Google for use with IMAP.

Original comment by jan.kei...@tvh.com on 1 Aug 2014 at 1:18

GoogleCodeExporter commented 9 years ago 
from google support at https://support.google.com/a/answer/175197?hl=en
Note: 2-Step Verification can't be used for accounts using a SAML single 
sign-on service (SSO). See SAML SSO Service for Google Apps.

and as for you response to 2. We looked into this but having to maintain this 
dll on all of our writable domain controllers did not seem like a solid 
architecture. (We have a large AD environment)

But thanks again for rejecting my request :)

Original comment by jason.sc...@jmfamily.com on 1 Aug 2014 at 1:26

GoogleCodeExporter commented 9 years ago 
I rejected the request for SSO through SAML2 since it can't be done (not in 
this application, you could modify google chrome to do this, especially now 
with the new gmail api, but that's a request that should be directed to the 
Google Chrome/Chromium projects.) 

Oauth is another thing, that can be done (though I won't do it myself I welcome 
contributions.) 

Have you tried actually enabling 2-step verification for an account. It's true 
that it can't be used, but the option is available nonetheless (at least for 
me) and if you enable it it won't be used (since the google login page isn't 
used), but the application specific passwords do become available for non 
http/https applications.

Original comment by jan.kei...@tvh.com on 1 Aug 2014 at 1:55