has anyone implemented Google Credentials Passing API?

[Jason Haar]

Hi there

We're looking at using our SSP IdP for authenticating our Google access
and Chromebooks have hit a snag. Once you go SAML, people can't log into
them when they're offline...

Totally makes sense when you think about it - there's no password cached
for starters. Anyway, Google have produced an API for enabling a one-way
hash of the password to be cached so that users can log in offline -
according to this API

http://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices

Has anyone done it using SSP? Not much to go on from what I can see :-(

Thanks

--
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

[flem...@wardletrust.co.uk]

Hi, 

How did you get on with this please?

I would like to achieve the same thing as you but with ADFS 3.0 but I am struggling to figure this out.

Thanks

[Jason Haar]

[Whoops. Look what I found in Drafts]

Actually I never figured it out. But it wasn't as bad as it looked - and it was also worse :-)

When you first successfully login via SAML without the "extra" code, the Chromebook prompts you to re-enter your password, which it hashes and stores and then doesn't do SAML again (ie it runs off cache). If you have the extra code, it simply gets rid of that second password prompt - so it's not a huge improvement.

Problems occur when you change your IdP password - there's no mechanism to tell the Chromebook a password change has occurred, so you end up having to log into your Chromebook with the old cached password until it expires - at which point you get thrown back at the IdP, etc. You can change the cache expiry date down from the default 2 weeks to 2 days (or never!) but I had difficulties seeing that actually work as stated. 

It all felt a bit "wobbly". We gave up on using SAML for Google in part due to this :-(

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

--

Cheers

Jason Haar

[joseph....@gmail.com]

Hey Jason - How exactly do you implement this extra code into ADFS?

[front...@equalit.nl]

I found that the only way to avoid the 2nd local password prompt using ADFS is forcing ChromeBooks to authenticate to ADFS via FBA (Forms Authentication) instead of WIA.

Op dinsdag 6 juni 2017 17:52:32 UTC+2 schreef joseph....@gmail.com:

[e.me...@wes.gdst.net]

We had to add ("Mozilla/5.0 (Windows NT") user agent in adfs so it falls back to form based auth. Hope this help others.

Credit to:

https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia  

and

https://blog.msresource.net/2016/11/18/adfs-iwa-and-the-wiasupporteduseragents-property/

Eisen

[jakem...@evergrowingtech.com]

Hi,

     Do you got the solution to implement SAML SSO for every login in Chrome device. since it is asking for the cached password for SAML User, for next login.

Regards,

Jake martin