[OpenID board] upcoming Google announcement regarding OpenID

Eric Sachs esachs at google.com
Wed Jul 8 11:47:00 PDT 2009 

--00163646d40216fd6e046e362a52
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Yes, I now realize I mistakenly posted this to the public instead or private
board mailing list :-)  Not a particularly big deal since we have been
discussing this planned launch in the discovery community.
Feel free to respond on either the public or private mailing list.

On Wed, Jul 8, 2009 at 11:05 AM, Eric Sachs <esachs at google.com> wrote:

> Below are drafts of two blog posts we will make in the upcoming weeks about
> the fact that we are now operating an OpenID IDP for the million+
> schools/enterprise/ISPs that are outsourcing their email to Google Apps.  We
> would appreciate this not being circulated beyond the board until it is
> public.  This new support required that we work with the community to define
> some extensions to the OpenID discovery process.  While those discussions
> have been going on in the community the last few months, those extensions
> are not yet formalized and probably won't be until they are proven in
> production environments.  There is the potential for some community members
> (or press) to assume (or at least imply in articles) some evil intent by
> Google to co-opt OpenID with these extensions.  It would be nice to have a
> blog post on the formal OpenID blog that was supportive of our approach, so
> I wanted to see if the board members are comfortable with that.
>
> On a somewhat related point, I also expect this will further increase the
> pressure on us as a community to find more scalable UI options since the
> Nascar style approach obviously cannot include buttons for these million new
> IDPs.  We have also just posted a set of summary UI guidelines that we will
> be referencing from our API documentation at
> http://sites.google.com/site/oauthgoog/UXFedLogin/summary.  The goal was
> to keep it to one-page which forced us to cut additional background
> information, but if you think we cut something critical, let me know.
>
> Enterprise blog: Google Apps + OpenID = identity hub for all your SaaS
>
> We are happy to announce that the Google OpenID Federated Login API<http://code.google.com/apis/apps/sso/openid_reference_implementation.html> has
> been extended to Google Apps accounts used by businesses, schools, and other
> organizations. The service is important not only to the individuals in those
> organizations, who can interact with a variety of consumer websites with a
> single credential <add link to Google code post>, but also to the
> organizations themselves, who are increasingly reliant on multiple Software
> as a Service (SaaS) solutions from different vendors.
>
>
> For these organizations, Google Apps can now become an identity and data
> hub for multiple SaaS providers. When integrated with partner solutions such
> as XXX from XXX, the Google Open ID Federated Login API enables a single
> Google Apps login to provide secure access to services like Salesforce.com,
> SuccessFactors, and WebEX, as well as B2B partners, internal applications,
> and of course consumer web sites. See XXX's post <add link> to learn more
> about their implementation and view the demo and case study <add links>.
>
>
> Another early adopter is XXX, a SaaS project management vendor who uses the
> new service to make it easier for any organization using Google Apps to sign
> up for and deploy XXX o their users:
>
> < INSERT SCREEN SHOTS>
>
>
> Activating the OpenID Federated Login service for your domain is simple and
> secure. To achieve that, we introduced a new experimental discovery
> protocol<http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains> addressing
> some of the challenges with the current version (2.0) of OpenID<http://openid.net/specs/openid-authentication-2_0.html>
> :
>
>
>
>    - Reducing the hassle of hosting discovery documents on the domain
>    web-site - the discovery protocol offer a solution that allows a hosted
>    domain to become an OpenID Provider without hosting any documents at all.
>    Optionally, a domain may choose to host one simple file to support a more
>    complete discovery flow.
>
>
>
>    - Being an OpenID Identity Provider requires strong security protection
>    again attacks that could modify web pages on the site. To avoid that
>    requirement for businesses and organizations, we introduced digital
>    signatures on the discovery documents and a verification flow to support
>    that.
>
>
> You can find more details in our API<http://code.google.com/apis/apps/sso/openid_reference_implementation.html>
>  and Discovery<http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains> documentation,
> or join the discussions in the Google Federated Login API Group<http://groups.google.com/group/google-federated-login-api/web/oauth-support-in-googles-federated-login-api>,
> where you can ask any question and get answers from with other Identity
> Providers, Relying Parties and Google engineers.
>
>
> *The OpenID Federated Login Service is available for all Google Apps
> editions. However, it is disabled by default for the Premier and Education
> and editions  , and it requires the Domain Admin to manually enable it from
> the Control Panel. So Admins - go turn this today for your users<http://code.google.com/apis/apps/sso/openid_reference_implementation.html#cpanel>.
> At Google.com - we already enabled it for our employees... *
>
>
> Google Code blog: Over a million new OpenID Identity Providers !We are
> happy to announce that the Google OpenID Federated Login API<http://code.google.com/apis/apps/sso/openid_reference_implementation.html>
> has been extended to Google Apps accounts used by businesses, schools, and
> other organizations.  Individuals in these organizations can now sign in to
> 3rd party websites using their Google Apps account, without giving away
> their credentials. In addition to the value for the end-users, the new
> service also benefits the organizations themselves, who are increasingly
> reliant on multiple Software as a Service (SaaS) solutions from different
> vendors. For example, XXX is an early adopter, allowing any organization
> running Google Apps to more quickly sign up for and adopt their service:
>
> << INSERT SCREEN SHOTS>
>
>
> See our post on the Google Enterprise Blog <add link> to learn more about
> the opportunities for the organizations.
>
>
> Supporting the API for Google Apps accounts is exciting news for the OpenID
> community <http://www.openid.net/>, as it adds numerous new trustworthy
> Identity Provider (IDP) domains and increases the OpenID end user base by
> millions. In order to allow web-sites to easily become Relying Parties for
> these many new IDPs and users, we defined a new discovery protocol<http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains>.
> The protocol allows Relying Parties to identify that a given domain is
> hosted on Google Apps and securely access its OpenID Provider End Point. The
> current proposal is an interim solution, and we are participating in several
> standardization organizations, such as OASIS <http://www.oasis-open.org/> and
> the OpenID Foundation <http://openid.net/foundation/>, to generate a
> next-generation standard. Since the current protocol proposal is not
> supported by the standard OpenID libraries, we provided an implementation of
> the Relying Party pieces at the Open Source project - step2.googlecode.com<http://code.google.com/p/step2/>.
> Google is also offering a set of resource addressing the issues of designing
> a scalable Federated Login User Interface. You are welcome to visit the User
> Experience summary for Federated Login<http://sites.google.com/site/oauthgoog/UXFedLogin/summary> Google
> Sites page, where you can find links do demos, mocks and usabilty research
> data.
>
> Prefer an out-of-the-box solution? We have been working with JanRain<http://www.janrain.com/>,
> a provider of OpenID solutions, which already support the new API as part of
> their RPX product <http://rpxnow.com/>. As demonstrated by UserVoice<http://uservoice.com/session/new>
>  using JanRain's RPX <http://rpxnow.com/>, a user simply types in her
> Google Apps hosted domain name in the OpenID login box and everything else
> is being taken care of:
>
>
> <Add UserVoice (or other proposed RPX website) screenshots>
>
>
>
> You can find more details in our API<http://code.google.com/apis/apps/sso/openid_reference_implementation.html>
>  and Discovery<http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains> documentation,
> or join the discussions in the Google Federated Login API Group<http://groups.google.com/group/google-federated-login-api/web/oauth-support-in-googles-federated-login-api>,
> where you can ask any question and get answers from with other Identity
> Providers, Relying Parties and Google engineers.
>
> *The OpenID Federated Login Service is available for all Google Apps
> editions. However, it is disabled by default for the Premier  and Education
> editions, and it requires the Domain Admin to manually enable it from the
> Control Panel. So Admins - go turn this today for your users<http://code.google.com/apis/apps/sso/openid_reference_implementation.html#cpanel>.
> At Google.com - we already enabled it for our employees... *
>

--00163646d40216fd6e046e362a52
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Yes, I now realize I mistakenly posted this to the public instead or privat=
e board mailing list :-) =A0Not a particularly big deal since we have been =
discussing this planned launch in the discovery community.<div><br></div><d=
iv>
Feel free to respond on either the public or private mailing list.</div><br=
><div class=3D"gmail_quote">On Wed, Jul 8, 2009 at 11:05 AM, Eric Sachs <sp=
an dir=3D"ltr">&lt;<a href=3D"mailto:esachs at google.com">esachs at google.com</=
a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;"><div>Below are drafts of two blog posts we =
will make in the upcoming weeks about the fact that we are now operating an=
 OpenID IDP for the million+ schools/enterprise/ISPs that are outsourcing t=
heir email to Google Apps. =A0We would appreciate this not being circulated=
 beyond the board until it is public. =A0This new support required that we =
work with the community to define some extensions to the OpenID discovery p=
rocess. =A0While those discussions have been going on in the community the =
last few months, those extensions are not yet formalized and probably won&#=
39;t be until they are proven in production environments. =A0There is the p=
otential for some community members (or press) to assume (or at least imply=
 in articles) some evil intent by Google to co-opt OpenID with these extens=
ions. =A0It would be nice to have a blog post on the formal OpenID blog tha=
t was supportive of our approach, so I wanted to see if the board members a=
re comfortable with that.</div>


<div><br></div><div>On a somewhat related point, I also expect this will fu=
rther increase the pressure on us as a community to find more scalable UI o=
ptions since the Nascar style approach obviously cannot include buttons for=
 these million new IDPs. =A0We have also just posted a set of summary UI gu=
idelines that we will be referencing from our API documentation at=A0<a hre=
f=3D"http://sites.google.com/site/oauthgoog/UXFedLogin/summary" target=3D"_=
blank">http://sites.google.com/site/oauthgoog/UXFedLogin/summary</a>. =A0Th=
e goal was to keep it to one-page which forced us to cut additional backgro=
und information, but if you think we cut something critical, let me know.</=
div>


<br><div><span style=3D"font-family:Verdana"><div style=3D"margin-top:0px;m=
argin-bottom:0px"><h3 style=3D"font-size:12pt">Enterprise blog: Google Apps=
 + OpenID =3D identity hub for all your SaaS</h3>
<p style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0=
px">We are happy to announce that the=A0<a href=3D"http://code.google.com/a=
pis/apps/sso/openid_reference_implementation.html" title=3D"Google OpenID F=
ederated Login API" target=3D"_blank">Google OpenID Federated Login API</a>=
=A0has been extended to Google Apps accounts used by businesses, schools, a=
nd other organizations. The service is important not only to the individual=
s in those organizations, who can interact with a variety of consumer websi=
tes with a single credential &lt;<span style=3D"background-color:rgb(255, 2=
55, 0)">add link to Google code post</span>&gt;, but also to the organizati=
ons themselves, who are increasingly reliant on multiple Software as a Serv=
ice (SaaS) solutions from different vendors.</p>


<p style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0=
px"><br></p>For these organizations, Google Apps can now become an identity=
 and data hub for multiple SaaS providers. When integrated with partner sol=
utions such as XXX from=A0XXX, the Google Open ID Federated Login API enabl=
es a single Google Apps login to provide secure access to services like Sal=
esforce.com, SuccessFactors, and WebEX, as well as B2B partners, internal a=
pplications, and of course consumer web sites. See=A0XXX&#39;s post &lt;<sp=
an style=3D"background-color:rgb(255, 255, 0)">add link</span>&gt; to learn=
 more about their implementation and view the demo and case study &lt;<span=
 style=3D"background-color:rgb(255, 255, 0)">add links</span>&gt;.<p style=
=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px">


<br></p><p style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margi=
n-left:0px">Another early adopter is=A0XXX, a SaaS project management vendo=
r who uses the new service to make it easier for any organization using Goo=
gle Apps to sign up for and deploy=A0XXX=A0o their users:<br>


</p><br><div style=3D"margin-top:0px;margin-bottom:0px;text-align:center"><=
div style=3D"margin-top:0px;margin-bottom:0px;text-align:center">&lt; INSER=
T SCREEN SHOTS&gt;<br><br><br></div><div style=3D"margin-top:0px;margin-bot=
tom:0px;text-align:left">


Activating the OpenID Federated Login service for your domain is simple and=
 secure. To achieve that, we introduced a new experimental=A0<a href=3D"htt=
p://groups.google.com/group/google-federated-login-api/web/openid-discovery=
-for-hosted-domains" title=3D"discovery protocol" target=3D"_blank">discove=
ry protocol</a>=A0addressing some of the challenges with the=A0<a href=3D"h=
ttp://openid.net/specs/openid-authentication-2_0.html" title=3D"current ver=
sion (2.0) of OpenID" target=3D"_blank">current version (2.0) of OpenID</a>=
:</div>


</div><p style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-=
left:0px">=A0</p></div><div style=3D"margin-top:0px;margin-bottom:0px"><ul =
style=3D"margin-top:0px;margin-bottom:0px"><li style=3D"margin-top:0px;marg=
in-bottom:0px">


Reducing the hassle of hosting discovery documents on the domain web-site -=
 the discovery protocol offer a solution that allows a hosted domain to bec=
ome an OpenID Provider without hosting any documents at all. Optionally, a =
domain may choose to host one simple file to support a more complete discov=
ery flow.</li>


</ul><br><ul style=3D"margin-top:0px;margin-bottom:0px"><li style=3D"margin=
-top:0px;margin-bottom:0px">Being an OpenID Identity Provider requires stro=
ng security protection again attacks that could modify web pages on the sit=
e. To avoid that requirement for businesses and organizations, we introduce=
d digital signatures on the discovery documents and a verification flow to =
support that.</li>


</ul><br>You can find more details in our=A0<a href=3D"http://code.google.c=
om/apis/apps/sso/openid_reference_implementation.html" title=3D"API" target=
=3D"_blank">API</a>=A0and=A0<a href=3D"http://groups.google.com/group/googl=
e-federated-login-api/web/openid-discovery-for-hosted-domains" title=3D"Dis=
covery" target=3D"_blank">Discovery</a>=A0documentation, or join the discus=
sions in the=A0<a href=3D"http://groups.google.com/group/google-federated-l=
ogin-api/web/oauth-support-in-googles-federated-login-api" title=3D"Google =
Federated Login API Group" target=3D"_blank">Google Federated Login API Gro=
up</a>, where you can ask any question and get answers from with other Iden=
tity Providers, Relying Parties and Google engineers.<br>


<p style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0=
px"><br></p><b>The OpenID Federated Login Service is available for all Goog=
le Apps editions. However, it is disabled by default for the Premier and Ed=
ucation and editions =A0, and it requires the Domain Admin to manually enab=
le it from the Control Panel. So Admins -=A0<a title=3D"go turn this today =
for your users" href=3D"http://code.google.com/apis/apps/sso/openid_referen=
ce_implementation.html#cpanel" target=3D"_blank">go turn this today for you=
r users</a>. At Google.com - we already enabled it for our employees...=A0<=
/b><br>


<br><br><h3 style=3D"font-size:12pt">Google Code blog: Over a million new O=
penID Identity Providers !</h3>We are happy to announce that the=A0<a href=
=3D"http://code.google.com/apis/apps/sso/openid_reference_implementation.ht=
ml" title=3D"Google OpenID Federated Login API" target=3D"_blank">Google Op=
enID Federated Login API</a>=A0 has been extended to Google Apps accounts u=
sed by businesses, schools, and other organizations. =A0Individuals in thes=
e organizations can now sign in to 3rd party websites using their Google Ap=
ps account, without giving away their credentials. In addition to the value=
 for the end-users, the new service also benefits the organizations themsel=
ves, who are increasingly reliant on multiple Software as a Service (SaaS) =
solutions from different vendors. For example, XXX<font size=3D"2">=A0is an=
 early adopter, allowing any organization running Google Apps to more quick=
ly sign up for and adopt their service:<br>


<br></font><div style=3D"margin-top:0px;margin-bottom:0px;text-align:center=
">&lt;&lt; INSERT SCREEN SHOTS&gt;</div></div><div style=3D"margin-top:0px;=
margin-bottom:0px"><br><br>See our post on the Google Enterprise Blog &lt;<=
span style=3D"background-color:rgb(255, 255, 0)">add link</span>&gt; to lea=
rn more about the opportunities for the organizations.=A0<br>


</div><div style=3D"margin-top:0px;margin-bottom:0px"><p style=3D"margin-to=
p:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><br></p><p style=
=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px">
Supporting the API for Google Apps accounts is exciting news for the=A0<a h=
ref=3D"http://www.openid.net/" title=3D"OpenID community" style=3D"color:rg=
b(85, 26, 139)" target=3D"_blank">OpenID community</a>, as it adds numerous=
 new trustworthy Identity Provider (IDP) domains and increases the OpenID e=
nd user base by millions. In order to allow web-sites to easily become Rely=
ing Parties for these many new IDPs and users, we defined a new=A0<a href=
=3D"http://groups.google.com/group/google-federated-login-api/web/openid-di=
scovery-for-hosted-domains" title=3D"discovery protocol" target=3D"_blank">=
discovery protocol</a>. The protocol allows Relying Parties to identify tha=
t a given domain is hosted on Google Apps and securely access its OpenID Pr=
ovider End Point. The current proposal is an interim solution, and we are p=
articipating in several standardization organizations, such as=A0<a href=3D=
"http://www.oasis-open.org/" title=3D"OASIS" target=3D"_blank">OASIS</a>=A0=
and the=A0<a href=3D"http://openid.net/foundation/" title=3D"OpenID Foundat=
ion" style=3D"color:rgb(85, 26, 139)" target=3D"_blank">OpenID Foundation</=
a>, to generate a next-generation standard. Since the current protocol prop=
osal is not supported by the standard OpenID libraries, we provided an impl=
ementation of the Relying Party pieces at the Open Source project -=A0<a hr=
ef=3D"http://code.google.com/p/step2/" title=3D"step2.googlecode.com" style=
=3D"color:rgb(85, 26, 139)" target=3D"_blank">step2.googlecode.com</a>. Goo=
gle is also offering a set of resource addressing the issues of designing a=
 scalable Federated Login User Interface. You are welcome to visit the=A0<a=
 title=3D"User Experience summary for Federated Login" href=3D"http://sites=
.google.com/site/oauthgoog/UXFedLogin/summary" style=3D"color:rgb(85, 26, 1=
39)" target=3D"_blank">User Experience summary for Federated Login</a>=A0Go=
ogle Sites page, where you can find links do demos, mocks and usabilty rese=
arch data.=A0<br>


</p></div><div style=3D"margin-top:0px;margin-bottom:0px"><br>Prefer an out=
-of-the-box solution? We have been working with=A0<a href=3D"http://www.jan=
rain.com/" title=3D"JanRain" style=3D"color:rgb(85, 26, 139)" target=3D"_bl=
ank">JanRain</a>, a provider of OpenID solutions, which already support the=
 new API as part of their=A0<a href=3D"http://rpxnow.com/" title=3D"RPX pro=
duct" style=3D"color:rgb(85, 26, 139)" target=3D"_blank">RPX product</a>. A=
s demonstrated by=A0<a href=3D"http://uservoice.com/session/new" title=3D"U=
serVoice" style=3D"color:rgb(85, 26, 139)" target=3D"_blank">UserVoice</a>=
=A0using=A0<a href=3D"http://rpxnow.com/" title=3D"Janrain&#39;s RPX" targe=
t=3D"_blank">JanRain&#39;s RPX</a>, a user simply types in her Google Apps =
hosted domain name in the OpenID login box and everything else is being tak=
en care of:<p style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;ma=
rgin-left:0px">


<br></p><p style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margi=
n-left:0px"><span style=3D"background-color:rgb(255, 255, 0)">&lt;Add UserV=
oice (or other proposed RPX website) screenshots&gt;</span></p>
<p style=3D"margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0=
px">=A0</p><br>You can find more details in our=A0<a href=3D"http://code.go=
ogle.com/apis/apps/sso/openid_reference_implementation.html" title=3D"API" =
target=3D"_blank">API</a>=A0and=A0<a href=3D"http://groups.google.com/group=
/google-federated-login-api/web/openid-discovery-for-hosted-domains" title=
=3D"Discovery" style=3D"color:rgb(85, 26, 139)" target=3D"_blank">Discovery=
</a>=A0documentation, or join the discussions in the=A0<a href=3D"http://gr=
oups.google.com/group/google-federated-login-api/web/oauth-support-in-googl=
es-federated-login-api" title=3D"Google Federated Login API Group" target=
=3D"_blank">Google Federated Login API Group</a>, where you can ask any que=
stion and get answers from with other Identity Providers, Relying Parties a=
nd Google engineers.=A0=A0<br>


<br><b>The OpenID Federated Login Service is available for all Google Apps =
editions. However, it is disabled by default for the Premier =A0and Educati=
on editions, and it requires the Domain Admin to manually enable it from th=
e Control Panel. So Admins -=A0<a title=3D"go turn this today for your user=
s" href=3D"http://code.google.com/apis/apps/sso/openid_reference_implementa=
tion.html#cpanel" target=3D"_blank">go turn this today for your users</a>. =
At Google.com - we already enabled it for our employees...=A0</b><br>


</div></span></div>
</blockquote></div><br>

--00163646d40216fd6e046e362a52--

More information about the board mailing list