Google Cross Domain Authentication - coldfusion

I have various sites (on their own domain) with their own authentication systems. What I'm trying to do is combine all the authentication into Google's authentication so the users will only have to log in with their Google credentials. What I'm thinking of is that they would log in with their Google credentials and be redirected to a dashboard which has image links to the other sites. The user should be able to go to any of the sites and be automatically logged in since they were already authenticated. I saw that there's an authentication for Google Apps but is this the same thing for my websites?
What I'm not sure about is how does this happen cross domain? How do the other domains know that the user is already authenticated?
Also, if the user logs out, they should not be able to access any of the sites anymore.
Anyone have any experience implementing something like this? Any resources are much appreciated. I will be implementing this in Coldfusion so Coldfusion resources are a bonus.

Your talking about using Google to login/signup i.e. Using OAuth 2.0.
You will need to register each of your app domains with Google. The user will need to confirm each application to allow access (in your case for signup/login).
Resource on Google Login with ColdFusion by Raymond Camden
The point is you need to establish a certain protocol to build a trust.
Other options are:
Google oauth javascript cross domain

Related

How to authorize via Google API from WebApp with an unknown URL?

I'm trying to build a plugin for a WordPress App, that uploads file to the users Google Drive space. I don't want the end user to create the Cloud Console Project. but rather just have him give consent so the plugin can access the needed data from his Google Drive account.
When I create OAuth 2.0 Client IDs in the Google Cloud Console (Web Application), Google asks for Authorized JavaScript origins and Authorized redirect URIs. Since the plugin will be portable and can be installed on different websites I can't define this.
How can this be solved that an OAuth2 Authentication by the user can be done, without knowing the URL where the app is running?
Thanks
You cant. Redirect uri must be configured properly, to point webserver the code authorization is running on.
You will need to instruct your users in how to create their own client.
Also as this is a WordPress application, you would need to share your client id and secret with the users. This is also against googles TOS.
possible workaround.
If you put up an authorization server on your own server. The users of your app could then login though that. A refresh token will be returned to their website running your app and stored locally. Your code could then run using the refresh token to access their data.
However you are then going to be responsible for verifying an app with google drive scopes.

How do I authenticate to Google Workspace though a Website for User Management?

So we have google login on the website, which is part of the CMS. CMS is hooked up to ActiveDirectory which has GoogleADSync installed.
Our admins are having to make accounts in AD, and on Google, and I want to fix this because it seems beyond cumbersome.
The API seems slick but how do I actually AUTHENTICATE so I can call those endpoints? Other services we use have just an API key to throw into the headers, but the Workspace auth docs seem pretty... heavy. Or is it as simple as using the existing API key we've generated for the website authentication (or make a new key over there in the google console?).
Any help would be great because it seems daunting atm.

SSO solutions for Django

I have several Django websites and I want to create a centralized auth provider. The auth provider site would contain the user accounts and be the only repository for user details and passwords. Users would log into the auth provider site and when they visit each satellite website for the first time, an account is created on that site. Subsequent visits to the satellite site would result in them being sent to the auth provider site to login first. On returning they are automatically logged in to the satellite site. My only difficulty is that the auth provider site would be on the internet and the satellite sites are in DMZs on private networks with access to the internet. So the satellite sites cannot establish any outgoing connections to the auth provider.
I still need the ability to log into the satellite sites using the locally configured admin user.
I looked at OAuth2 but I don't think that fits my needs. I'm currently reading about OpenID but I noticed a comment that the satellite server contacts the OpenID server, which cannot happen in my configuration. When I say OpenID I mean that I would have to run my own server as I need 100% control over the users. Are there any other solutions I've not mentioned yet that meet my requirements?
Thanks
What you're looking for is essentially SAML.
Unfortunately, I'm not aware of any good off-the-shelf open source solutions for this.
If you're looking for a service solution, the company I work at (Stormpath) provides a library that does this. It's free to use. https://github.com/stormpath/stormpath-django

Authentication with website, mobile app, and webservice

I am creating a service that will include a website, a mobile app, and a web service.
Both the website and mobile app will talk to the web service to interact with the database and any other backend items.
I would like users to be able to log in with other services (such as google, facebook, twitter, etc.)
I have two questions in implementing this:
1.) Should I use OpenID or OAuth? I'm not sure which is better for the situation. I have no need to actually access features from a users account, I just want them to be able to log in with accounts they already have,
2.) Where should I implement the authentication? Do I have to implement it both on the website and on the mobile app, or could I have both talk to the web service and do the authentication there?
Thanks
If you are just doing authentication and not syncing any account details, I think OpenID is the way to go. From a security standpoint, I would say to implement your authentication on the website and on the app and not in the webservice. You want to handle credentials the least amount possible and especially avoid sending the credentials via webservice if not using SSL.

Using SSO to log into my existing application from Google Apps

My company will be soon switching to Google Apps, and I would like to propose the idea of having our site administration page being authenticated with OpenID. Therefore, any user who is logged into Google Apps would be automatically logged in to our site Administration. Currently, our site administration has it's own list of users and passwords in the DB, but I would like to have the user list based off Google Apps, with their unique identifier saved in our DB. That way, new employees would only have to be set up in Google Apps to access our site Administration.
I've done some research, and come across terms like SSO, OpenID, and SAML, but I can't quite narrow down which route I'm supposed to go. It seems like Google has a lot of paths open for development, and I'm not sure which one I'm supposed to take.
My question is: What kind of Authentication am I seeking for my purpose described above, and can anyone point me in the direction of where to get started? My site is published in ColdFusion 9, so answers specific to that platform are a bonus.
If you just need Web SSO -- I believe you would use your GApps domain as an OpenID Provider. Your application would then act as an RP and consume identities as established by your own GApps domain and company administration. GApps can only act as a SAML Service Provider -- so using SAML for this use case isn't realistic.
HTH
Ian