Google联合登录如何限制到特定的Apps域? [英] How limit Google Federated Login to specific Apps domain?

问题描述

我想在客户的应用程序中实现单点登录.客户已通过Google Apps托管电子邮件.由于Google提供了OpenID，因此这可能相对容易实现.但是，该用户可能未登录正确的Google帐户(甚至多个帐户).

I want to implement Single Sign-on in a customer's application. The customer has hosted email through Google Apps. As Google offers OpenID, this could be relatively easy to implement. However, the user might not be signed in to the correct Google Account (or even multiple accounts).

因此，在使用Google OpenID端点https://www.google.com/accounts/o8/id时，系统会向用户显示他/她要登录的Google帐户的选择.由于该应用程序仅允许来自Google Apps域的登录，因此可以跳过此步骤，应该这样做是为了增加用户体验.但是，我无法找到实现此目的的方法.在SO上有此问题，但是链接都死了或参考过时的规格.另外，在 Google帐户用户的联合登录规格.

So, when using the Google OpenID endpoint https://www.google.com/accounts/o8/id the user is presented with a choice with which Google Account he/she wants to sign-in. As the application will only allow sign-ins from the Google Apps domain, this step could be skipped and should be for increased user experience. I could, however, not find ways to do this. There is this question on SO, but the links are all dead or refer to outdated specs. Also I could not find a hint in the Federated Login for Google Account Users specs.

有些地方说应该使用https://www.google.com/a/[domain]/o8/ud?be=o8，但这似乎不起作用了(不再):

Some places say one should use https://www.google.com/a/[domain]/o8/ud?be=o8, but that does not seem to work (anymore):

$ wget --header='Accept: application/xrds+xml' https://www.google.com/a/[domain]/o8/ud?be=o8
2012-01-24 09:29:53 ERROR 400: Bad Request.

推荐答案

尽管我找不到官方记录，但是特定Google Apps域的终点是:

Although I couldn't find official records, the end point for a specific Google Apps Domain is this:

https://google.com/accounts/o8/site-xrds?hd=<domain>

使用这种方法时，请注意，您将遇到针对Google的修改:

When using this approach, be aware that you will run into a google-specific modification:

Google更改了IdP发现的方式，用户XRDS进行了一些检查，以使Google Apps用户在 http://example.com/openid?id=108441225163454056756 这种格式，而无需用户构建自己的openid服务器.对于小型公司，如果他们使用Google Apps，则人们可以在域名下获得自己的openid，而域名则少之又少. 源

Google changed the way of IdP Discovery and user XRDS check a little bit to give Google Apps users openid in http://example.com/openid?id=108441225163454056756 kind of format without asking the users to build their own openid servers. For small companies, people can get their openid under their domain with as few as just a domain name if they use Google Apps. source

这篇关于Google联合登录如何限制到特定的Apps域?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！