1

I am trying to get the user who is logged in via. SAML Single Sign On.

I have already implemented SAML Single Sign On and it works.

The code I use for programmatic login is : 

apps = gdata.apps.service.AppsService(email=username, domain=domain, password=password)
apps.ProgrammaticLogin()
logging.info("current user %s", users.get_current_user())
//Redirect to a Google mail page.

But users.get_current_user() returns None always even though correct username and password is provided. I have crosschecked it by redirecting the page to Google Mail page and it successfully redirects.

I have googled this issue for hours now nothing goes the right way.

Can anyone please guide me what I am doing wrong ?

Kartik Domadiya
  • 29,868
  • 19
  • 93
  • 104

1 Answers1

1

There are three different things going on here, I just want to make sure are clear for my suggested answer to make sense:

  1. Google App Engine users service: You, as the developer, delegate authentication and authorization responsibility to Google Accounts (or the selected OpenID provider). Google will act as the Identity Provider and you'll act as the Service Provider.
  2. SAML single sign on: Google delegates to you the authentication and authorization responsibility, you'll act as the Identity Provider and Google will act as the Service Provider. You'll be using SAML SSO every time you try to login any Google service using you Google Apps account, that includes Google App Engine applications using the users service.
  3. ClientLogin: It is one of the methods for authenticating to use a Google API by giving username and password. It's deprecated, it's hard to maintain and insecure since you are hard coding the credentials and the app could have access to everything. I'd recommend switching to OAuth instead. In the first two lines of code You are initializing the Google Apps provisioning API with gdata.apps.service.AppsService, if you are not going to retrieve or create users/groups/alias is useless to do that. If you are I'd also recommend switching to the Directory API part of the new AdminSDK

For your particular case I'd suggest checking if there is a current user logged in, if not redirect to the login URL using the GAE users service.

user = users.get_current_user()
if user:
    logging.info("current user %s", user.email())
else:
    return redirect(users.create_login_url(request.url))

In case you always require that the user is logged in you better set the handler as login: required

The user will be redirected to the SAML SSO page to log in to his Google Account in order to access the GAE app.

David Cifuentes
  • 564
  • 5
  • 16
  • Thanks for a clear cut description. I am able to achieve the current user by explicitly setting up the OPEN ID + SAML Single Sign On. But now I am facing the problem of redirection. Keeping "relayState" to any appspot id or any website url, it says invalid url when redirected after login. It only accepts any google product url. Can you suggest me something related to it ? – Kartik Domadiya Apr 04 '14 at 05:34