How to Setup OpenID with Google Apps

Digital Dandelion wanted to provide OpenID accounts for its staff. (I’ll explain why later.) It could have setup its own OpenID server, but it already used Google Apps for Your Domain. Google recently announced that the Google OpenID Federated Login API had been extended to Google Apps accounts: “Individuals in these organizations can now sign in to third party websites using their Google Apps account, without sharing their credentials with third parties.” Brilliant.

Here’s how to set it up for your domain:

1. Sign up for Google Apps for Your Domain and set it up as Google instructs.

Note: The Federated Login Service is disabled by default for Google Apps Premier and Education Editions. The domain admin can enable it from the Control Panel at http://www.google.com/a/cpanel/<your-domain>/SetupIdp. The Federated Login Service cannot be disabled in the Standard Edition, which is to say that it’s already turned on for freeloading Google Apps customers.

2. Add openid file on your server.

Create a file accessible on your site as http://example.com/openid with this inside of it:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
	<XRD>
		<Service priority="0">
			<Type>http://specs.openid.net/auth/2.0/signon</Type>
			<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
		</Service>
		<Service priority="0">
			<Type>http://specs.openid.net/auth/2.0/server</Type>
			<URI>https://www.google.com/a/example.com/o8/ud?be=o8</URI>
		</Service>
	</XRD>
</xrds:XRDS>

Be sure to replace example.com with your domain.

3. Tell Apache to serve the openid file with the correct MIME type.

You can do this by modifying your .htaccess file. If this file does not exist in your web root directory, create it. Add these lines:

<Files openid> 
	ForceType application/xrds+xml 
</Files>

4. Add host-meta file on your server.

Create a file accessible on your site as http://example.com/.well-known/host-meta with this inside of it:

Link: <https://www.google.com/accounts/o8/site-xrds?hd=example.com>; rel="describedby http://reltype.google.com/openid/xrd-op"; type="application/xrds+xml"

Again, be sure to replace example.com with your domain.

5. Access your OpenID with the “vanity” URI http://example.com/openid

You’ll be redirected to Google Accounts, asked to login, asked to approve the site for authentication, and on your way to enjoying the many benefits of OpenID.

Bingo.

8 Comments

  1. wccrawford
    Posted 2009/09/28 at 17:20 | Permalink

    Nice info. I didn’t know #5, either… That’s nice.

  2. Posted 2009/12/21 at 15:35 | Permalink

    it does work with RPX but it does not work with the WordPress openID Login Plugin http://wordpress.org/extend/plugins/openid/

    I allway get this message after successfull authentification at google:
    Error: OpenIDloginfailed:NoOpenIDinformationfoundathttp://mydomain.com/openid?id=9999999999999999

    any tipps to solve this?

    thanks
    Andreas

  3. Posted 2010/01/27 at 21:30 | Permalink

    This technique doesn’t seem to work on sites like stackoverflow.com. I keep seeing:

    The OpenId Provider issued an assertion for an Identifier whose discovery information did not match. Assertion endpoint info: ClaimedIdentifier: http://example.com/openid?id=NNNNNNNNNNNNNNNNNNNNN ProviderLocalIdentifier: http://example.com/openid?id=NNNNNNNNNNNNNNNNNNNNN ProviderEndpoint: https://www.google.com/a/example.com/o8/ud?be=o8 OpenID version: 2.0 Service Type URIs: (unavailable) Discovered endpoint info: {ClaimedIdentifier: http://specs.openid.net/auth/2.0/identifier_select ProviderLocalIdentifier: http://specs.openid.net/auth/2.0/identifier_select ProviderEndpoint: https://www.google.com/a/dydynamic.com/o8/ud?be=o8 OpenID version: 2.0 Service Type URIs: http://specs.openid.net/auth/2.0/server, }

  4. Posted 2010/01/27 at 21:32 | Permalink

    The previous comment should have example.com for all the domain names.

  5. Posted 2010/01/27 at 23:41 | Permalink

    Indeed, I am getting that error with my Google Apps account. However, I am able to login using my masked Gmail Account. I’m guessing that this is a problem with StackOverflow.com, as it works properly on many other sites. Unfortunately, I don’t have an absolute answer :-\

  6. Jay
    Posted 2010/02/26 at 7:27 | Permalink

    To answer everyone’s question about this, Google implemented a proof-of-concept implementation of a next-generation OpenID discovery protocol- ie it is not a full standard yet. Even when it becomes a standard, it is not backwards compatible with the OpenID 2.0 and earlier standards. Some site like StackOverflow.com, and livejournal.com, only work with OpenID 2.0 or earlier,and as such know nothing about this new discovery business. If you want to use your Google account with the older OpenID sites, check out http://openid-provider.appspot.com/ . Its sample code for the App Engine that implements an OpenID provider that should work with the older setups.

  7. Posted 2010/10/13 at 9:09 | Permalink

    Thanks for this great guide. I am still getting prompted to download a file when I attempt to access the vanity URL. I’ve made the changes to .htaccess — any other ideas?

  8. Posted 2011/03/09 at 20:52 | Permalink

    Thank you for this, Jeremiah. I’d be embarrassed to say how long I’ve been looking for straight-forward instructions on how to actually get OpenID working with Google Apps Premium. Yours is the only such set of instructions I’ve found, and it works as advertised.

    Just in time for OpenID to go the way of the Dodo, but hey…