We are an existing web application where schools are subscriptions and students under that school can use our web app. They currently have logins with projects under the logins.
Since students keep forgetting logins, schools want to start migrating to Google Apps marketplace app approach where all students have to do is click on universal navigation icon.
But since the students could already have an account with us, the first time they login from universal icon, they are provided with a screen to map any existing account or create a new one. Once that is done, next time the student comes in, they login and enter the app right away. No intermediate steps.
With that background, our marketplace app is being rejected with the reason, we do not implement SSO.
Can somebody help me understand how are we not implementing SSO?
It was an issue with mismatch credentials in the marketplace app and PHP code.
Used the same API keys in both places fixed it.
Related
I have developed an app that synchronises our users' Google contacts with the School's database. When I submitted the consent screen for verification I was asked to change the display name, as it violated branding policies by including GMail in the title. However when I try to update the consent screen in the API Console, after changing the app name the Save button remains greyed out, so I can't change it. How do proceed now?
Note the app is currently in use with an unverified consent screen, but new users are now unable to sign up since Google appear to have tightened their policies.
Also the app is only used by members of our organisation, so it should really be an internal app. However the Make Internal link is deactivated, apparently because I am not a G Suite User. However we have a G Suite for Education account, so does this not make me a G Suite user?
As no-one has provided a solution it looks like there is none. Therefore I’ve resorted to my plan B, which is to create a new API Project and consent screen, This time I created it as an internal project, which avoids any complications of validation. The previous project was created public as it was envisaged that parents with private Gmail accounts might also use it. However with the constraints of GDPR it has been decided to restrict it to employees only. Fortunately I have found a way for existing users to continue using the old version, while new users have to register using the new consent screen.
It appears that the message about not being able to change to a local project if you’re not a G Suite user is a red herring. I suspect you just can’t change project type once it’s in use, because of the possible implications for existing users,
I have a custom application for internal use only where currently users are created by a super admin. Some of the users are from within the business and some external e.g. suppliers/customers.
I'm looking for a way to integrate MS Active Directory as a login option but want to be able to restrict which users from the business can actually use this method.
I have search through all the MS docs and have all the documentation on the different oauth approaches but not sure which one would be suitable for my needs.
I am thinking that perhaps i need to give the admin a way to browse the AD and select the users that can login which then creates inactive user accounts in the mysql database with some sort of MS user ID. Then provide a 'Sign in with MS' button that does the usual auth redirection process to MS and back to the site. At that point I can check an ID and if that matches an allowed user account and if so, sync the rest of the data e.g. name, email, phone etc..
Links I've already found:
https://learn.microsoft.com/en-gb/azure/active-directory/develop/authentication-scenarios
https://learn.microsoft.com/en-gb/graph/tutorials/php
https://github.com/microsoftgraph/msgraph-training-phpapp/tree/master/Demos/03-add-msgraph
Your first order of business is enabling a user to sign in to the Laravel-based app. For this, I strongly recommend not trying to re-invent the wheel (at least not completely), and make use of an existing Laravel package. Laravel Socialite is probably the best place to start, since it has a long list of existing community-provided Socialite providers, including three which work with Azure AD already: Microsoft, Microsoft-Graph and Microsoft-Azure. (Note: Though I haven't tested any of these myself, the first two seem to be the most promising, as they use the newer v2 endpoint.)
When it comes to authorization (controlling access), you have two options:
Control at Azure AD
Once you've got the app integrated with Azure AD, you can configure the app in Azure AD to require user assignment, and then control access to the app by assigning (or not) users to the app. Users who are not assigned won't even make it past the sign-in page.
You can use Azure AD's existing experiences for managing user and role assignment for the app, or you could go all-out and build this experience directly into the Laravel-based app itself, making use of the Azure AD Graph API to create the [app role assignments](https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#approleassignment-entity and user picker experience.
Hint: In either case, remember that you can make the app "superuser" an "owner" of the app in Azure AD (Azure AD > Enterprise apps > (app) > Owners), which will allow them to assign users without needing to give them any additional privileges in Azure AD.
Control at the app
In this approach, you allow all users to sign in to the app with Azure AD, but then you use your app's own authorization logic to decide who makes it any further, and what roles they get in the app.
In reality, you will most likely find the best approach is to use a combination of the two, with some of the authorization enforced by Azure AD and the next level enforced by the app itself.
If you would do it in this way, it will be necessary that the super-admin has always this permissions in the AAD. From my point of view it is less practical.
I would perfer such app-assigments with help of Service Principal. You assign a role (look for app roles) to the user and then your business logic must decide which permissions the user has. If you would use the app roles feature, then you can restrict access to the role with it's help. All the user can login, but only users with a specific role would be able to see a content of the app.
I hope this hints can help to find a right direction, but there is no silver bullet solution... :/
We've migrated our app from the old marketplace to the new one. After a few days we've received an email that we don't comply with an SSO policy - the user is not recognized after he installs the application.
In the old app we had a specific setup link, that was opened for the user after he installed the app - thus making him recognizable. Is there such a function in the market? Is there some sort of a callback for the installation event in the new marketplace?
P.S. the guy from Google told me to post technical questions on Stackoverflow and that "Our developer relations team monitors that forum and will be able to assist you."
EDIT:
There's the Additional app setup link in this after-installation popup (which clearly no user will click):
Is there a way to call the URL that of the Additional app setup in the background, without needing the user to click an obscure link?
That was an intentional design change which is different than how it used to work in v1 of the marketplace.
If you need interactive setup, best thing to do is put in a check on login to see if the domain has been configured. You can use the licensing API to check for a marketplace install record or directory API to check user permissions if those matter for your use case.
If you just need to run a background task, you can periodically poll the licensing API to detect new installations of the app. This shouldn't be done too often, so if you need to do things before a user logs you're still better off going with a check on login to route them to the setup flow as needed.
I've been working as a consultant on an Android project that uses Google oAuth2 to authenticate and identify it's users. The Android project is in production and available for download on Google Play. The oAuth client ids and the entire Google API project was setup by me using a Google Apps e-mail address setup in my name on the client's domain.
Since the project has been released and my work with the client is finished my e-mail address has been deactivated and subsequently deleted (or so it seems, the client claims to not being able to recreate it). Since my e-mail account was set as the owner of the API project the deletion of my e-mail address has resulted in the deactivation (or deletion) of the API project as well. This has of course seriously crippled the app in question.
To get things up and running again a new e-mail address was set up for me on the client's domain and I created a new API project. The problem is that I'm unable to create the oAuth client ids since the packagename and SHA1 key are the same as for the app already live. I get the "This client ID is globally unique and is already in use" message and I seem to be stuck in a very awkward situation. I see a couple of possible solutions but I'm not sure how to proceed:
Reactivate the original e-mail address in the hope that the API project is still linked to that account
Reactivate the Google API project with the help of a Google engineer and assign it to an e-mail account on the client's domain
Delete the client ids from some Google database with the help of a Google engineer and setup a new API project and release a new version of the app.
Worst case: accept the loss, change package name, release a new app and kindly ask users to migrate to the new app.
I've read that Google monitors the google-oauth tag here on SO and I hope to get some help either from the SO community or Google itself. Many thanks in advance!
In the future, please coordinate for long-term ownership of the project, since the Google accounts that own the project are an important aspect of Google's authorization system. For instance, the owner of the project signs ToS for accessing the APIs on behalf of users.
I will follow up with you to find a way to sort out this issue.
I'm looking to publish an app which gives users the ability to register and login using my hosted database. The user will supply their name, email and password.
I'm wondering what I need to do in order to get the app certified for the marketplace - what disclaimers/notices must I ensure the user agrees to before the app is certifiable? I'm presuming if I don't handle this, it will be picked up by policy 2.8.
Have you many more tips for getting an app published to the marketplace? First time user, really want to have my app up and running within the next month!
Thanks,
Gerard.