Google Apps Premier federated login with PHP

Google supports OpenID authentication or behaves as openid identity provider, using Google Apps accounts. Basically it means, user can use GA credentials to sign in into different services. This is especially useful for companies to unite other internal services with Google Apps single sign-in point. This is related to Standard edition as well.

I have got it working for PHP. Here is the story.

Having spent about 3 hours to get it work, I do not consider OpenID simple protocol that will conquer the Net soon. Why it shouldn’t be as simple as adding Paypal payment to a site ?

Nevertheless, I make working sample. I used php-openid-2.1.3.zip quite standard OpenId library and php-openid-apps-discover.tar.gz helper for Google Apps.

It does not need any installation, just make “tmp” directory writable. Do not test it using local apache, upload somewhere to the web.

Note: The Federated Login Service is disabled by default for Google Apps Premier and Education Editions. The domain admin can enable it from the Control Panel at http://www.google.com/a/cpanel/<your-domain>/SetupIdp.

Test here

Download library

UPDATE!! Please look a this post for an updated libraries and example code

.

36 comments

  1. I tried this and it used to work but now it doesn’t. No change on my end. Is there anything Google could have done to make this stop working?

  2. Yes, it does work on your site. What file is not found though? All I did was put the openid-ga on my server. Do I need another file in the root? Email me at the address provided if you’d like.

  3. is PHP setup the same ? phpinfo() output is the same ? This lib depends on SSL as I remeber.

  4. I get “OpenID authentication failed: Nonce already used or out of range”
    when Iam trying with the domain dkdelfinen.se
    Have you any idea why?

  5. Hmm… it does not work for my domain too 🙁 this means realization is too complex to be reliable. I will take a look why it broke.

  6. But I don’t know if it is usefull to access to google docs for example.

    I know that open id is used to access to google apps but I don’t know if it is usefull to access document from other website to include in html…

    Is it possibile?

    Thks

  7. For accessing google docs you should use Google Docs API. This OpenID technique is usefule for organizing access to other corporate services using same google apps login everybody in the company has.

  8. Hello!

    I want to ask you if you consider updating the library to the latest (2.2.2) version of OpenID PHP Lib and to the latest (1.0.2) version of google discovery php add on to that first library as currently there are tons of issues with PHP5 and especially with 5.3. I’m struggling for 2 days to get GA OpenID discovery work and I think I’m about to succeed, little help would be appreciated by me and other users.

    Thank you for your great work!
    Dimitar

  9. Why not, I am trying to get it working with latest versions of libs:
    php-openid-apps-discover-1.0.2.zip
    openid-php-openid-2.2.2-0-ga287b2d.zip

    hope it will work, if not clear verdict, open_id is too complex and sucks.

  10. Hi Constantin,
    Great job … i download and executed . but i am getting error
    “Auth request object error . Try again” . Please help .

    Thank you

  11. Constantin,
    this error is coming when i click google login or yahoo login . if i enter domain name and click on login ,i am getting empty page . please help me.

  12. Constantin,
    when ever i refresh page, i am getting following error , if u knows , please help me

    “OpenID authentication failed: Nonce already used or out of range”

    Thank you

  13. I resolved Constantin,i commented following code

    $response = $consumer->complete($config[‘return_url’]);

    // Check the response status.
    if ($response->status == Auth_OpenID_CANCEL) die(‘Verification cancelled.’);
    if ($response->status == Auth_OpenID_FAILURE) die(“OpenID authentication failed: ” . $response->message);
    if ($response->status != Auth_OpenID_SUCCESS) die(‘Other error’);

    // Successful login

    // Extract returned information
    $openid = $response->getDisplayIdentifier();
    $ax = new Auth_OpenID_AX_FetchResponse();
    if ($ax) $ax = $ax->fromSuccessResponse($response);

    $sreg = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
    if ($sreg ) $sreg = $sreg->contents();

  14. Contantin,
    How to redirect url to login page .
    example : if suppose i type url like “http://www.mydomain.com/test/contantin.php” first it redirect to “http://www.mydomain.com/index.php” and check the credentials and after that it goes to actual url.

    Please help me .

  15. This works well, thanks very much.

    As someone not familiar with the scheme used, do you have some example code to extract the parameters (e.g., first name, last name, email id, etc.)? I see that you have the print_r to dump the $ax->data, but how does one access the various elements? Thanks.

    Rajeev

  16. No, my question was to access each element, not just dump the whole array. I figured it out (e.g., to get email … )
    $ax->data[“http://axschema.org/contact/email”][0]

    Thanks, again, the library is very useful.

  17. BTW, a related question … apparently axschema.org is no longer operational, so how is the data still being accessed from it? And is there going to be a switch to schemas.openid.net?

Leave a Reply

Your email address will not be published.