28

I use Google Apps for my domain email, and I was wondering if I could use that account for OpenID instead of the regular Gmail account.

I know I can delegate Openid to some other URL using this:

<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="http://samruby.myopenid.com/" />

But I can't find the appropriate URLs for Google.

Thanks

-Mathieu

Mathieu Longtin
  • 15,922
  • 6
  • 30
  • 40

7 Answers7

16

Google recently (an hour or so ago) announced OpenID support for Google Apps customers.

Check out the discovery protocol on Google Groups. Should be a good start.

I believe the endpoint is ht tps://www.google.com/accounts/o8/site-xrds?hd=your-domain.com

Mike Meyer
  • 505
  • 5
  • 13
  • I now accept this answer, since the situation has changed, with the caveat that this is only available to _paying_ Google Apps customers. – Mathieu Longtin Aug 05 '09 at 13:55
  • According to their blog, it's enabled for all Google Apps customers. http://googlecode.blogspot.com/2009/07/google-apps-openid-identity-hub-for.html Looks like they don't allow for delegation though. It's "risky business." http://groups.google.com/group/google-federated-login-api/browse_thread/thread/825067789537568c# – Mike Meyer Aug 05 '09 at 17:33
  • That Googlecode article says that is's available for all edition, the announcement says it only applies to Premier and Eduction domains, and the google-federated-login-api seems to mention only Premier and Education as well. I can't seem to find the enabling/disabling swith in my cpanel. So I'm confused. – Mathieu Longtin Aug 10 '09 at 19:22
  • As am I. I hope it works for my domain using the standard Google Apps account and that delegation will one day be possible. Until then, it doesn't look like either one is going to be possible. – Mike Meyer Aug 11 '09 at 22:54
  • @TomerGabel Google Developers has a page on [OpenID Federated Login Service for Google Apps](https://developers.google.com/google-apps/sso/openid_reference_implementation). – Mihai Capotă Dec 06 '12 at 15:50
6

You can run your own openid server in your Google Apps domain (using GAE) - Google provides sample code of openid server. I've recently ported this to latest OpenID library, so now it is Openid 2.0 compatible. Project page: http://code.google.com/p/appengine-openid-provider/

mrk
  • 284
  • 3
  • 5
4

For OpenId2 I currently have this on my site

<link rel="openid2.provider" href="https://www.google.com/accounts/o8/ud" />

as it is the only one required. Since I am logged in to Google Apps now as my default google account. OpenID consumers (Stack Exchange Sites mostly at this point) use that account (I get a message from google asking if the site can use that google account.

This doesn't FORCE the google apps account the way it would if you used a non-google apps account with (in addition to the provider above)

<link rel="openid2.local_id" href="http://www.google.com/profiles/YOURGOOGLEPROFILE" />

But it does allow me to use my google apps account because it is the one I am currently logged in with.

Jeff Martin
  • 10,812
  • 7
  • 48
  • 74
  • 1
    Does this work on a free Google Apps account, or only enterprise and education? – Mathieu Longtin Oct 07 '10 at 16:21
  • I used Jeff's code and was able to access some sites (like the StackExchange sites), but not others (37signals stuff), so I had to go back to the old server/delegate model. But if you're using your URL as your delegate, it's worth checking to see if the sites you access often will accept OpenID2. I'm certainly logged in to Google far more than I am in my old OpenID provider. – charliepark Nov 25 '10 at 03:25
4

MyOpenID.com does offer openid on your own domain.

Cade Roux
  • 88,164
  • 40
  • 182
  • 265
  • 1
    But won't the authentication for this all still go through myopenid.com? I think the OP was asking about using his existing domain credentials. – Kris Kumler Jan 13 '09 at 14:39
  • I see what you're saying. Hopefully the point will be moot one day when all services are OpenID consumers. – Cade Roux Jan 13 '09 at 15:56
1

My understanding is that Google is not exposing that server url, and as such makes this technique inoperable for a Google OpenID.

Nathan Feger
  • 19,122
  • 11
  • 62
  • 71
1

They say they will in the future but doesn't give any clue to when the future will be here. See this thread in Google groups http://groups.google.com/group/google-federated-login-api/browse_thread/thread/19b33847210e5708

1

It's not possible.

Note: OpenID authentication is currently supported for Google accounts only, not Google Apps (hosted) accounts

© http://code.google.com/apis/accounts/docs/OpenID.html

darkk
  • 824
  • 7
  • 13