[OpenID board] upcoming Google announcement regarding OpenID
Eric Sachs
esachs at google.com
Tue Jul 28 08:28:04 PDT 2009
--001636456f967cc861046fc5b719
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
The Google announcement of this new OpenID service has now been formally
posted at
http://googlecode.blogspot.com/2009/07/google-apps-openid-identity-hub-for.html
On Wed, Jul 8, 2009 at 11:47 AM, Eric Sachs <esachs at google.com> wrote:
> Yes, I now realize I mistakenly posted this to the public instead or
> private board mailing list :-) Not a particularly big deal since we have
> been discussing this planned launch in the discovery community.
> Feel free to respond on either the public or private mailing list.
>
> On Wed, Jul 8, 2009 at 11:05 AM, Eric Sachs <esachs at google.com> wrote:
>
>> Below are drafts of two blog posts we will make in the upcoming weeks
>> about the fact that we are now operating an OpenID IDP for the million+
>> schools/enterprise/ISPs that are outsourcing their email to Google Apps. We
>> would appreciate this not being circulated beyond the board until it is
>> public. This new support required that we work with the community to define
>> some extensions to the OpenID discovery process. While those discussions
>> have been going on in the community the last few months, those extensions
>> are not yet formalized and probably won't be until they are proven in
>> production environments. There is the potential for some community members
>> (or press) to assume (or at least imply in articles) some evil intent by
>> Google to co-opt OpenID with these extensions. It would be nice to have a
>> blog post on the formal OpenID blog that was supportive of our approach, so
>> I wanted to see if the board members are comfortable with that.
>>
>> On a somewhat related point, I also expect this will further increase the
>> pressure on us as a community to find more scalable UI options since the
>> Nascar style approach obviously cannot include buttons for these million new
>> IDPs. We have also just posted a set of summary UI guidelines that we will
>> be referencing from our API documentation at
>> http://sites.google.com/site/oauthgoog/UXFedLogin/summary. The goal was
>> to keep it to one-page which forced us to cut additional background
>> information, but if you think we cut something critical, let me know.
>>
>> Enterprise blog: Google Apps + OpenID = identity hub for all your SaaS
>>
>> We are happy to announce that the Google OpenID Federated Login API<http://code.google.com/apis/apps/sso/openid_reference_implementation.html> has
>> been extended to Google Apps accounts used by businesses, schools, and other
>> organizations. The service is important not only to the individuals in those
>> organizations, who can interact with a variety of consumer websites with a
>> single credential <add link to Google code post>, but also to the
>> organizations themselves, who are increasingly reliant on multiple Software
>> as a Service (SaaS) solutions from different vendors.
>>
>>
>> For these organizations, Google Apps can now become an identity and data
>> hub for multiple SaaS providers. When integrated with partner solutions such
>> as XXX from XXX, the Google Open ID Federated Login API enables a single
>> Google Apps login to provide secure access to services like Salesforce.com,
>> SuccessFactors, and WebEX, as well as B2B partners, internal applications,
>> and of course consumer web sites. See XXX's post <add link> to learn more
>> about their implementation and view the demo and case study <add links>.
>>
>>
>> Another early adopter is XXX, a SaaS project management vendor who uses
>> the new service to make it easier for any organization using Google Apps to
>> sign up for and deploy XXX o their users:
>>
>> < INSERT SCREEN SHOTS>
>>
>>
>> Activating the OpenID Federated Login service for your domain is simple
>> and secure. To achieve that, we introduced a new experimental discovery
>> protocol<http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains> addressing
>> some of the challenges with the current version (2.0) of OpenID<http://openid.net/specs/openid-authentication-2_0.html>
>> :
>>
>>
>>
>> - Reducing the hassle of hosting discovery documents on the domain
>> web-site - the discovery protocol offer a solution that allows a hosted
>> domain to become an OpenID Provider without hosting any documents at all.
>> Optionally, a domain may choose to host one simple file to support a more
>> complete discovery flow.
>>
>>
>>
>> - Being an OpenID Identity Provider requires strong security
>> protection again attacks that could modify web pages on the site. To avoid
>> that requirement for businesses and organizations, we introduced digital
>> signatures on the discovery documents and a verification flow to support
>> that.
>>
>>
>> You can find more details in our API<http://code.google.com/apis/apps/sso/openid_reference_implementation.html>
>> and Discovery<http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains> documentation,
>> or join the discussions in the Google Federated Login API Group<http://groups.google.com/group/google-federated-login-api/web/oauth-support-in-googles-federated-login-api>,
>> where you can ask any question and get answers from with other Identity
>> Providers, Relying Parties and Google engineers.
>>
>>
>> *The OpenID Federated Login Service is available for all Google Apps
>> editions. However, it is disabled by default for the Premier and Education
>> and editions , and it requires the Domain Admin to manually enable it from
>> the Control Panel. So Admins - go turn this today for your users<http://code.google.com/apis/apps/sso/openid_reference_implementation.html#cpanel>.
>> At Google.com - we already enabled it for our employees... *
>>
>>
>> Google Code blog: Over a million new OpenID Identity Providers !We are
>> happy to announce that the Google OpenID Federated Login API<http://code.google.com/apis/apps/sso/openid_reference_implementation.html>
>> has been extended to Google Apps accounts used by businesses, schools, and
>> other organizations. Individuals in these organizations can now sign in to
>> 3rd party websites using their Google Apps account, without giving away
>> their credentials. In addition to the value for the end-users, the new
>> service also benefits the organizations themselves, who are increasingly
>> reliant on multiple Software as a Service (SaaS) solutions from different
>> vendors. For example, XXX is an early adopter, allowing any organization
>> running Google Apps to more quickly sign up for and adopt their service:
>>
>> << INSERT SCREEN SHOTS>
>>
>>
>> See our post on the Google Enterprise Blog <add link> to learn more about
>> the opportunities for the organizations.
>>
>>
>> Supporting the API for Google Apps accounts is exciting news for the OpenID
>> community <http://www.openid.net/>, as it adds numerous new trustworthy
>> Identity Provider (IDP) domains and increases the OpenID end user base by
>> millions. In order to allow web-sites to easily become Relying Parties for
>> these many new IDPs and users, we defined a new discovery protocol<http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains>.
>> The protocol allows Relying Parties to identify that a given domain is
>> hosted on Google Apps and securely access its OpenID Provider End Point. The
>> current proposal is an interim solution, and we are participating in several
>> standardization organizations, such as OASIS <http://www.oasis-open.org/> and
>> the OpenID Foundation <http://openid.net/foundation/>, to generate a
>> next-generation standard. Since the current protocol proposal is not
>> supported by the standard OpenID libraries, we provided an implementation of
>> the Relying Party pieces at the Open Source project -
>> step2.googlecode.com <http://code.google.com/p/step2/>. Google is also
>> offering a set of resource addressing the issues of designing a scalable
>> Federated Login User Interface. You are welcome to visit the User
>> Experience summary for Federated Login<http://sites.google.com/site/oauthgoog/UXFedLogin/summary> Google
>> Sites page, where you can find links do demos, mocks and usabilty research
>> data.
>>
>> Prefer an out-of-the-box solution? We have been working with JanRain<http://www.janrain.com/>,
>> a provider of OpenID solutions, which already support the new API as part of
>> their RPX product <http://rpxnow.com/>. As demonstrated by UserVoice<http://uservoice.com/session/new>
>> using JanRain's RPX <http://rpxnow.com/>, a user simply types in her
>> Google Apps hosted domain name in the OpenID login box and everything else
>> is being taken care of:
>>
>>
>> <Add UserVoice (or other proposed RPX website) screenshots>
>>
>>
>>
>> You can find more details in our API<http://code.google.com/apis/apps/sso/openid_reference_implementation.html>
>> and Discovery<http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains> documentation,
>> or join the discussions in the Google Federated Login API Group<http://groups.google.com/group/google-federated-login-api/web/oauth-support-in-googles-federated-login-api>,
>> where you can ask any question and get answers from with other Identity
>> Providers, Relying Parties and Google engineers.
>>
>> *The OpenID Federated Login Service is available for all Google Apps
>> editions. However, it is disabled by default for the Premier and Education
>> editions, and it requires the Domain Admin to manually enable it from the
>> Control Panel. So Admins - go turn this today for your users<http://code.google.com/apis/apps/sso/openid_reference_implementation.html#cpanel>.
>> At Google.com - we already enabled it for our employees... *
>>
>
>
--001636456f967cc861046fc5b719
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
The Google announcement of this new OpenID service has now been formally po=
sted at<br><div style=3D"margin-left: 40px;"><a href=3D"http://googlecode.b=
logspot.com/2009/07/google-apps-openid-identity-hub-for.html">http://google=
code.blogspot.com/2009/07/google-apps-openid-identity-hub-for.html</a><br>
</div><br><div class=3D"gmail_quote">On Wed, Jul 8, 2009 at 11:47 AM, Eric =
Sachs <span dir=3D"ltr"><<a href=3D"mailto:esachs at google.com" target=3D"=
_blank">esachs at google.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Yes, I now realiz=
e I mistakenly posted this to the public instead or private board mailing l=
ist :-) =A0Not a particularly big deal since we have been discussing this p=
lanned launch in the discovery community.<div>
<br></div><div>
Feel free to respond on either the public or private mailing list.</div><di=
v><div></div><div><br><div class=3D"gmail_quote">On Wed, Jul 8, 2009 at 11:=
05 AM, Eric Sachs <span dir=3D"ltr"><<a href=3D"mailto:esachs at google.com=
" target=3D"_blank">esachs at google.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>Below are dr=
afts of two blog posts we will make in the upcoming weeks about the fact th=
at we are now operating an OpenID IDP for the million+ schools/enterprise/I=
SPs that are outsourcing their email to Google Apps. =A0We would appreciate=
this not being circulated beyond the board until it is public. =A0This new=
support required that we work with the community to define some extensions=
to the OpenID discovery process. =A0While those discussions have been goin=
g on in the community the last few months, those extensions are not yet for=
malized and probably won't be until they are proven in production envir=
onments. =A0There is the potential for some community members (or press) to=
assume (or at least imply in articles) some evil intent by Google to co-op=
t OpenID with these extensions. =A0It would be nice to have a blog post on =
the formal OpenID blog that was supportive of our approach, so I wanted to =
see if the board members are comfortable with that.</div>
<div><br></div><div>On a somewhat related point, I also expect this will fu=
rther increase the pressure on us as a community to find more scalable UI o=
ptions since the Nascar style approach obviously cannot include buttons for=
these million new IDPs. =A0We have also just posted a set of summary UI gu=
idelines that we will be referencing from our API documentation at=A0<a hre=
f=3D"http://sites.google.com/site/oauthgoog/UXFedLogin/summary" target=3D"_=
blank">http://sites.google.com/site/oauthgoog/UXFedLogin/summary</a>. =A0Th=
e goal was to keep it to one-page which forced us to cut additional backgro=
und information, but if you think we cut something critical, let me know.</=
div>
<br><div><span style=3D"font-family: Verdana;"><div style=3D"margin-top: 0p=
x; margin-bottom: 0px;"><h3 style=3D"font-size: 12pt;">Enterprise blog: Goo=
gle Apps + OpenID =3D identity hub for all your SaaS</h3>
<p style=3D"margin: 0px;">We are happy to announce that the=A0<a href=3D"ht=
tp://code.google.com/apis/apps/sso/openid_reference_implementation.html" ti=
tle=3D"Google OpenID Federated Login API" target=3D"_blank">Google OpenID F=
ederated Login API</a>=A0has been extended to Google Apps accounts used by =
businesses, schools, and other organizations. The service is important not =
only to the individuals in those organizations, who can interact with a var=
iety of consumer websites with a single credential <<span style=3D"backg=
round-color: rgb(255, 255, 0);">add link to Google code post</span>>, bu=
t also to the organizations themselves, who are increasingly reliant on mul=
tiple Software as a Service (SaaS) solutions from different vendors.</p>
<p style=3D"margin: 0px;"><br></p>For these organizations, Google Apps can =
now become an identity and data hub for multiple SaaS providers. When integ=
rated with partner solutions such as XXX from=A0XXX, the Google Open ID Fed=
erated Login API enables a single Google Apps login to provide secure acces=
s to services like Salesforce.com, SuccessFactors, and WebEX, as well as B2=
B partners, internal applications, and of course consumer web sites. See=A0=
XXX's post <<span style=3D"background-color: rgb(255, 255, 0);">add =
link</span>> to learn more about their implementation and view the demo =
and case study <<span style=3D"background-color: rgb(255, 255, 0);">add =
links</span>>.<p style=3D"margin: 0px;">
<br></p><p style=3D"margin: 0px;">Another early adopter is=A0XXX, a SaaS pr=
oject management vendor who uses the new service to make it easier for any =
organization using Google Apps to sign up for and deploy=A0XXX=A0o their us=
ers:<br>
</p><br><div style=3D"margin-top: 0px; margin-bottom: 0px; text-align: cent=
er;"><div style=3D"margin-top: 0px; margin-bottom: 0px; text-align: center;=
">< INSERT SCREEN SHOTS><br><br><br></div><div style=3D"margin-top: 0=
px; margin-bottom: 0px; text-align: left;">
Activating the OpenID Federated Login service for your domain is simple and=
secure. To achieve that, we introduced a new experimental=A0<a href=3D"htt=
p://groups.google.com/group/google-federated-login-api/web/openid-discovery=
-for-hosted-domains" title=3D"discovery protocol" target=3D"_blank">discove=
ry protocol</a>=A0addressing some of the challenges with the=A0<a href=3D"h=
ttp://openid.net/specs/openid-authentication-2_0.html" title=3D"current ver=
sion (2.0) of OpenID" target=3D"_blank">current version (2.0) of OpenID</a>=
:</div>
</div><p style=3D"margin: 0px;">=A0</p></div><div style=3D"margin-top: 0px;=
margin-bottom: 0px;"><ul style=3D"margin-top: 0px; margin-bottom: 0px;"><l=
i style=3D"margin-top: 0px; margin-bottom: 0px;">
Reducing the hassle of hosting discovery documents on the domain web-site -=
the discovery protocol offer a solution that allows a hosted domain to bec=
ome an OpenID Provider without hosting any documents at all. Optionally, a =
domain may choose to host one simple file to support a more complete discov=
ery flow.</li>
</ul><br><ul style=3D"margin-top: 0px; margin-bottom: 0px;"><li style=3D"ma=
rgin-top: 0px; margin-bottom: 0px;">Being an OpenID Identity Provider requi=
res strong security protection again attacks that could modify web pages on=
the site. To avoid that requirement for businesses and organizations, we i=
ntroduced digital signatures on the discovery documents and a verification =
flow to support that.</li>
</ul><br>You can find more details in our=A0<a href=3D"http://code.google.c=
om/apis/apps/sso/openid_reference_implementation.html" title=3D"API" target=
=3D"_blank">API</a>=A0and=A0<a href=3D"http://groups.google.com/group/googl=
e-federated-login-api/web/openid-discovery-for-hosted-domains" title=3D"Dis=
covery" target=3D"_blank">Discovery</a>=A0documentation, or join the discus=
sions in the=A0<a href=3D"http://groups.google.com/group/google-federated-l=
ogin-api/web/oauth-support-in-googles-federated-login-api" title=3D"Google =
Federated Login API Group" target=3D"_blank">Google Federated Login API Gro=
up</a>, where you can ask any question and get answers from with other Iden=
tity Providers, Relying Parties and Google engineers.<br>
<p style=3D"margin: 0px;"><br></p><b>The OpenID Federated Login Service is =
available for all Google Apps editions. However, it is disabled by default =
for the Premier and Education and editions =A0, and it requires the Domain =
Admin to manually enable it from the Control Panel. So Admins -=A0<a title=
=3D"go turn this today for your users" href=3D"http://code.google.com/apis/=
apps/sso/openid_reference_implementation.html#cpanel" target=3D"_blank">go =
turn this today for your users</a>. At Google.com - we already enabled it f=
or our employees...=A0</b><br>
<br><br><h3 style=3D"font-size: 12pt;">Google Code blog: Over a million new=
OpenID Identity Providers !</h3>We are happy to announce that the=A0<a hre=
f=3D"http://code.google.com/apis/apps/sso/openid_reference_implementation.h=
tml" title=3D"Google OpenID Federated Login API" target=3D"_blank">Google O=
penID Federated Login API</a>=A0 has been extended to Google Apps accounts =
used by businesses, schools, and other organizations. =A0Individuals in the=
se organizations can now sign in to 3rd party websites using their Google A=
pps account, without giving away their credentials. In addition to the valu=
e for the end-users, the new service also benefits the organizations themse=
lves, who are increasingly reliant on multiple Software as a Service (SaaS)=
solutions from different vendors. For example, XXX<font size=3D"2">=A0is a=
n early adopter, allowing any organization running Google Apps to more quic=
kly sign up for and adopt their service:<br>
<br></font><div style=3D"margin-top: 0px; margin-bottom: 0px; text-align: c=
enter;"><< INSERT SCREEN SHOTS></div></div><div style=3D"margin-to=
p: 0px; margin-bottom: 0px;"><br><br>See our post on the Google Enterprise =
Blog <<span style=3D"background-color: rgb(255, 255, 0);">add link</span=
>> to learn more about the opportunities for the organizations.=A0<br>
</div><div style=3D"margin-top: 0px; margin-bottom: 0px;"><p style=3D"margi=
n: 0px;"><br></p><p style=3D"margin: 0px;">
Supporting the API for Google Apps accounts is exciting news for the=A0<a h=
ref=3D"http://www.openid.net/" title=3D"OpenID community" style=3D"color: r=
gb(85, 26, 139);" target=3D"_blank">OpenID community</a>, as it adds numero=
us new trustworthy Identity Provider (IDP) domains and increases the OpenID=
end user base by millions. In order to allow web-sites to easily become Re=
lying Parties for these many new IDPs and users, we defined a new=A0<a href=
=3D"http://groups.google.com/group/google-federated-login-api/web/openid-di=
scovery-for-hosted-domains" title=3D"discovery protocol" target=3D"_blank">=
discovery protocol</a>. The protocol allows Relying Parties to identify tha=
t a given domain is hosted on Google Apps and securely access its OpenID Pr=
ovider End Point. The current proposal is an interim solution, and we are p=
articipating in several standardization organizations, such as=A0<a href=3D=
"http://www.oasis-open.org/" title=3D"OASIS" target=3D"_blank">OASIS</a>=A0=
and the=A0<a href=3D"http://openid.net/foundation/" title=3D"OpenID Foundat=
ion" style=3D"color: rgb(85, 26, 139);" target=3D"_blank">OpenID Foundation=
</a>, to generate a next-generation standard. Since the current protocol pr=
oposal is not supported by the standard OpenID libraries, we provided an im=
plementation of the Relying Party pieces at the Open Source project -=A0<a =
href=3D"http://code.google.com/p/step2/" title=3D"step2.googlecode.com" sty=
le=3D"color: rgb(85, 26, 139);" target=3D"_blank">step2.googlecode.com</a>.=
Google is also offering a set of resource addressing the issues of designi=
ng a scalable Federated Login User Interface. You are welcome to visit the=
=A0<a title=3D"User Experience summary for Federated Login" href=3D"http://=
sites.google.com/site/oauthgoog/UXFedLogin/summary" style=3D"color: rgb(85,=
26, 139);" target=3D"_blank">User Experience summary for Federated Login</=
a>=A0Google Sites page, where you can find links do demos, mocks and usabil=
ty research data.=A0<br>
</p></div><div style=3D"margin-top: 0px; margin-bottom: 0px;"><br>Prefer an=
out-of-the-box solution? We have been working with=A0<a href=3D"http://www=
.janrain.com/" title=3D"JanRain" style=3D"color: rgb(85, 26, 139);" target=
=3D"_blank">JanRain</a>, a provider of OpenID solutions, which already supp=
ort the new API as part of their=A0<a href=3D"http://rpxnow.com/" title=3D"=
RPX product" style=3D"color: rgb(85, 26, 139);" target=3D"_blank">RPX produ=
ct</a>. As demonstrated by=A0<a href=3D"http://uservoice.com/session/new" t=
itle=3D"UserVoice" style=3D"color: rgb(85, 26, 139);" target=3D"_blank">Use=
rVoice</a>=A0using=A0<a href=3D"http://rpxnow.com/" title=3D"Janrain's =
RPX" target=3D"_blank">JanRain's RPX</a>, a user simply types in her Go=
ogle Apps hosted domain name in the OpenID login box and everything else is=
being taken care of:<p style=3D"margin: 0px;">
<br></p><p style=3D"margin: 0px;"><span style=3D"background-color: rgb(255,=
255, 0);"><Add UserVoice (or other proposed RPX website) screenshots>=
;</span></p>
<p style=3D"margin: 0px;">=A0</p><br>You can find more details in our=A0<a =
href=3D"http://code.google.com/apis/apps/sso/openid_reference_implementatio=
n.html" title=3D"API" target=3D"_blank">API</a>=A0and=A0<a href=3D"http://g=
roups.google.com/group/google-federated-login-api/web/openid-discovery-for-=
hosted-domains" title=3D"Discovery" style=3D"color: rgb(85, 26, 139);" targ=
et=3D"_blank">Discovery</a>=A0documentation, or join the discussions in the=
=A0<a href=3D"http://groups.google.com/group/google-federated-login-api/web=
/oauth-support-in-googles-federated-login-api" title=3D"Google Federated Lo=
gin API Group" target=3D"_blank">Google Federated Login API Group</a>, wher=
e you can ask any question and get answers from with other Identity Provide=
rs, Relying Parties and Google engineers.=A0=A0<br>
<br><b>The OpenID Federated Login Service is available for all Google Apps =
editions. However, it is disabled by default for the Premier =A0and Educati=
on editions, and it requires the Domain Admin to manually enable it from th=
e Control Panel. So Admins -=A0<a title=3D"go turn this today for your user=
s" href=3D"http://code.google.com/apis/apps/sso/openid_reference_implementa=
tion.html#cpanel" target=3D"_blank">go turn this today for your users</a>. =
At Google.com - we already enabled it for our employees...=A0</b><br>
</div></span></div>
</blockquote></div><br>
</div></div></blockquote></div><br>
--001636456f967cc861046fc5b719--
More information about the board
mailing list