Alternative IdP Working Group

[David Walker <>]

I also have been assuming that a GAE IdP (gateway or otherwise) would need to restrict itself to only its accounts.  I would think that's possible, but I don't know if any existing gateways do that.

I tweaked the description on the wiki.  Look better?

David

On 08/21/2014 01:10 PM, Jones, Mark B wrote:

Perhaps it is a perspective issue, but I remain confused.  The impression I am getting is that there is a perception that a GAE campus can run a gateway that only allows GAE accounts to authenticate.  I am not an expert but my understanding is that any such gateway would allow any organization’s GAE accounts, any company’s GAB accounts, and any Gmail accounts to authenticate.

 

Where the description states that it would be “for participants that have a Google Apps account”, I think this is misleading as the gateway would authenticate any ‘participants that have any Google account’, not just Google Apps. 

 

Are you saying that the term “Google Apps” includes GAE, GAB, and Gmail?  I tend to separate Gmail from Google Apps.

 

From: [] On Behalf Of Tom Scavo
Sent: Thursday, August 21, 2014 2:36 PM
To: Jones, Mark B
Cc: Tom Scavo;
Subject: Re: Meeting Notes and Wiki Access

 

[sorry for the top post, I'm on my mobile]

 

This WG is targeted at organizational IdPs, which is why I'm only considering GAE campuses. When you look at social from the eyes of a service owner (which I think you are), you're bound to come to a different conclusion.

 

Tom

On Thursday, August 21, 2014, Jones, Mark B <> wrote:

Tom,
For example, I can authenticate to spaces.internet2.edu using my public Gmail
account or with my UTHealth GAE account.  Unless you can configure the gateway
such that public Gmail accounts are rejected, I don't understand why there is
a gateway option that talks about only using GAE.

> -----Original Message-----
> From: [mailto:] On Behalf Of Tom
> Scavo
> Sent: Thursday, August 21, 2014 11:09 AM
> To: Jones, Mark B
> Cc: Tom Scavo;
> Subject: Re: Meeting Notes and Wiki Access
>
> On Thu, Aug 21, 2014 at 11:51 AM, Jones, Mark B
> <> wrote:
> > I understand that there is potentially significant differences between
> > Google's public offering and specific GAE instances, but can such
> > gateways be limited such that @gmail.com accounts are excluded?
>
> I'm not sure I understand the question...excluded from what?
>
> > My understanding is that
> > Google authentication works for gmail.com as well as any Google Apps
> > Education and any Google Apps Business account.
>
> Yes, I described how that works in practice here:
> https://urldefense.proofpoint.com/v1/url?u=https://spaces.internet2.edu/
> x/oAzkAg&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tg
> tglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=ce9Ib650o%2FDyVA0zNUo
> Ye2NAeJOMFdXNov6Mv9PQLHs%3D%0A&s=15b9f3a9bd405486cda21cd0621
> c19210d55d70244aa14f35b6e3aa4977ea0b8
>
> Tom