Google Gateway Frequently Asked Questions
| Table of Contents | ||
|---|---|---|
|
General Questions
Why is Google being used in the InCommon Federation? What is the goal of this project?
For the Service Providers listed on the Google Gateway home page (and others to come), Google has become the Identity Provider of Last Resort (IdPoLR). Since many users already have a Google account, using Google as the IdPoLR precludes the need for users to create yet another password to access federated services. This is a big win for both users and Service Provider operators.
...
I run a Service Provider in the InCommon Federation. Can my users use the Google Gateway to access my service?
At this timeNo, the Gateway may be used by Internet2 Service Providers only. However, plans to offer a Federation-wide gateway service are in the works, so stay tunedYou may implement your own gateway for Google authentication or contract with a commercial provider for such services. InCommon's is powered by Cirrus Identity.
What protocols does the Google Gateway support?
...
How will my user's know Google is an option?
Your service will consume Google Gateway metadata (which looks like any other IdP metadata in the InCommon Federation). A new IdP with DisplayName The discovery interface will include "Google Sign In" will automatically appear on your discovery interface (since the Google Gateway is just another InCommon IdP). If the user chooses some other IdP, and the SAML Response comes back with insufficient attributes, you can present Google more prominently on the discovery interface and let the user try again.
Does the Google Gateway provide a unique identifier for each person?
Yes, the Gateway asserts an eduPersonPrincipalName (ePPN) for each user. As is the case with other IdPs in the InCommon Federation, relying parties trust this identifier at their own risk.
The ePPN asserted by the Gateway for a particular user is the same for all downstream SPs. (We say that the ePPN is "scoped to the Federation.") See the Google Gateway home page to understand how the ePPN is computed by the Gateway.
...
Yes, see the Google Gateway home page for a complete list of attributes asserted by the Gateway.
How do I know if the person name asserted by the Google Gateway is correct?
To our knowledge, there is no social IdP that makes claims about the veracity of person names. Even a certified LoA-1 IdP (social or otherwise) makes no such claims. A relying party must make its own determination regarding the accuracy of the person name asserted by the Gateway (or any other IdP for that matter).
...
the
...
Gateway
...
The gateway does not assert any level of assurance (LoA) value, it just passes through the attributes that the Google IdP provides. Nothing can be said about the trustworthiness of these attributes, which are not covered by any Federation policy. Thus Service Providers make determinations regarding LoA on a per-transaction basis at their own risk.