OpenID for Google Apps Is Here, But Some Aren’t Happy
Google announced today that everyone using Google Apps enterprise or education editions can now use their organization’s domain as a federated single sign-on. That means that millions of schools, businesses and other organizations can now use their Apps accounts as an OpenID.
For a movement that has seen adoption held back because of confusion or just plain unfamiliarity among consumers, this should be a huge boost. However, a few prominent developers and advocates feel that Google’s approach is not entirely acceptable. They are critical of the use of vendor-specific extensions and APIs instead of the open standards that are so important to OpenID.
The Sound & Fury
The concern that some OpenID developers have expressed publicly is in regard to the way that OpenID discovery occurs. The crux of their concern is not whether Google’s solution will work; it’s about whether Apps OpenID will function as a provider that gives people full control of their online identity.
Independently of the OpenID Foundation, Google has rushed to use their own methods. Unlike OAuth, the discovery is currently a part of the OpenID core, even if it isn’t related to how the actual authentication functions.
In order to be redirected from their domains to Google’s OpenID service, relying parties will have to use an extension developed by Janrain, despite work that is well underway by the Foundation on a standard independent of any one vendor.
Google, Your New Identity Hub
Now that the Apps OpenID has been released, another issue has arisen. It’s related to how Google will become an identity hub for SaaS partners which want to let their users login with their Apps accounts. Early partners in this program that were announced in the blog post by Google today include Ping Identity and Manymoon.
Some have taken issue with Google’s API even being the fallback system should a normal request fail. But for these partners, it looks as if the API is not the fallback system: it’s the default. By cutting corners and not using a more neutral method, Google is unlikely to get the support from the OpenID Foundation they want.
In a phone call today, Google’s Eric Sachs said that though the company has no control over how partners choose to implement the system, it was necessary to use the API if they choose to present it to users as a way to log in directly with Apps.
It would seem that despite best intentions for an exciting project, there are some issues that could curtail support for the initiative. The announcement of the plan was accidentally leaked to the public earlier this month, and it revealed fears at Google that the project could be viewed by the community as an attempt to co-opt OpenID.
To Google’s credit, they’ve been talking with the OpenID Foundation to try and address any concerns. “We definitely do want to work with the community on this.” said Sachs.
Still, any opposition from the OpenID Foundation or the community at large about how Google is implementing OpenID could damage its “don’t be evil” credibility, at the very least.