
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">


<head>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">

<meta name=Generator content="Microsoft Word 12 (filtered medium)">

<style>

<!--

 /* Font Definitions */

 @font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

 /* Style Definitions */

 p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

span.apple-style-span

        {mso-style-name:apple-style-span;}

span.EmailStyle18

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;}

@page Section1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.Section1

        {page:Section1;}

-->

</style>

<!--[if gte mso 9]><xml>

 <o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

 <o:shapelayout v:ext="edit">

  <o:idmap v:ext="edit" data="1" />

 </o:shapelayout></xml><![endif]-->

</head>


<body lang=EN-US link=blue vlink=purple>


<div class=Section1>


<div>


<div>


<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";

color:#1F497D'>I eventually figured what was meant, below. Replacing my own google

hosted domain for alertblue.com in the redirect from the URL &nbsp;below, we get<o:p></o:p></span></b></p>


<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></b></p>


<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";

color:#1F497D'><a

href="https://www.google.com/a/homepw.org/ServiceLogin2?continue=http%3A%2F%2Fsites.google.com%2Fa%2Fhomepw.org%2Ftestui%2F&amp;continue2=http%3A%2F%2Fsites.google.com%2Fa%2Fhomepw.org%2Ftestui%2F&amp;continue1=http%3A%2F%2Fsites.google.com%2Fa%2Falertblue.com%2Ftestui%2F&amp;service=jotspot&amp;passive=true&amp;ul=1">https://www.google.com/a/homepw.org/ServiceLogin2?continue=http%3A%2F%2Fsites.google.com%2Fa%2Fhomepw.org%2Ftestui%2F&amp;continue2=http%3A%2F%2Fsites.google.com%2Fa%2Fhomepw.org%2Ftestui%2F&amp;continue1=http%3A%2F%2Fsites.google.com%2Fa%2Falertblue.com%2Ftestui%2F&amp;service=jotspot&amp;passive=true&amp;ul=1</a><o:p></o:p></span></b></p>


<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></b></p>


<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";

color:#1F497D'>which nicely provides either&nbsp; a local login (using email address)

or it relays our SAML IDP. Depending on how my op-discovery cookies are set,

the IDP will proxy on to the trustbearer OP.<o:p></o:p></span></b></p>


<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></b></p>


<div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;

padding:0in 0in 1.0pt 0in'>


<p class=MsoNormal style='border:none;padding:0in'><b><span style='font-size:

10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></b></p>


</div>


<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";

color:#1F497D'><o:p>&nbsp;</o:p></span></b></p>


<p class=MsoNormal>We have another live example you can look at. &nbsp;Try this

URL:<o:p></o:p></p>


</div>


<div>


<p class=MsoNormal>&nbsp;&nbsp;<a

href="http://sites.google.com/a/alertblue.com/testui/">http://sites.google.com/a/alertblue.com/testui/</a><o:p></o:p></p>


</div>


<div>


<p class=MsoNormal>That URL is for a webpage created by an enterprise whose

email Google hosts on our AppsForYourDomain offering. &nbsp;But the owner of

that site has allowed some people outside their enterprise to access this

webpage. &nbsp;So when a user visits that webpage, they might be one of three

types of users:<o:p></o:p></p>


</div>


<div>


<p class=MsoNormal>&nbsp;- An employee of that enterprise<o:p></o:p></p>


</div>


<div>


<p class=MsoNormal>&nbsp;- An employee of a different enterprise that uses

AppsForYourDomain (and which might run its own IDP that authenticates users to

Google via SAML)<o:p></o:p></p>


</div>


<div>


<p class=MsoNormal>&nbsp;- A consumer user with a regular Google Account that

the user established manually<o:p></o:p></p>


</div>


<div>


<p class=MsoNormal>We are experimenting with different login UIs for this page,

so you might see different versions.<o:p></o:p></p>


</div>


<p class=MsoNormal><o:p>&nbsp;</o:p></p>


<p class=MsoNormal><o:p>&nbsp;</o:p></p>


</div>


</div>


</body>


</html>