For the Service Providers listed on the Google Gateway home page, Google has become the Identity Provider of Last Resort (IdPoLR). Since many users already have a Google account, using Google as the IdPoLR precludes the need for users to create yet another password to access federated services. This is a big win for both users and Service Provider operators.
That's not entirely true. Site Administrators may not use federated identities (Google or otherwise) to log into the Federation Manager. On the other hand, Delegated Administrators must use federated identities to log into the Federation Manager. A Delegated Administrator may use Google for this purpose if the Site Administrator approves.
That is completely up to you. You could even create a new Google account for exclusive use with the Gateway (although there's no particularly good reason for doing so).
Yes, you can. At the Google sign in page, type your campus email address into the email field but leave the password field blank. Google will automatically redirect your browser to your campus login page.
Btw, exactly the same technique works for Google Apps for Business or any other Google Apps account. If you enter the email address of one of your personal Google Apps accounts, you'll have to type your password as well (since there's nowhere else to go!).
No, sorry, we only support Google at this time.
No, the Gateway maintains NO state information about the browser users who use it. It does maintain log files for troubleshooting issues and compiling usage statistics, but that’s all.
No, the Gateway may be used by Internet2 Service Providers only. You may implement your own gateway for Google authentication or contract with a commercial provider for such services. InCommon's is powered by Cirrus Identity.
On the near side of the Gateway, facing the SP, the protocol used is ordinary SAML V2.0 Web Browser SSO. In that sense, the Google Gateway is just like any other IdP in the InCommon Federation.
On the far side of the Gateway, facing Google, the protocol is OpenID Connect (not to be confused with OpenID 2.0). So technically the Google Gateway translates OpenID Connect (OIDC) assertions to SAML assertions, that is, it is an instance of an OIDC-to-SAML gateway.
No. Since the Gateway is intended to be used by Internet2 Service Providers only, including it in InCommon metadata would only confuse users on discovery interfaces.
The discovery interface will include "Google Sign In" will automatically appear on the discovery interface.
Yes, the Gateway asserts an eduPersonPrincipalName
(ePPN
) for each user.
The ePPN
asserted by the Gateway for a particular user is the same for all downstream SPs. (We say that the ePPN
is "scoped to the Federation.") See the Google Gateway home page to understand how the ePPN
is computed by the Gateway.
Yes, see the Google Gateway home page for a complete list of attributes asserted by the Gateway.