Using the provisioning API in order to sync SSO passwords upon login breaks chrome sync

[danstl]

Is there any resolution to this?!  We use SAML SSO and sync password upon successful login in order to populate non-sso aware portions of Apps with the users password.  BUT this process seems to break the ability to use chrome sync.  You setup chrome sync, and it will sync, but then within an hour or two it will say : 

Account sign-in details are out of date.  

This is VERY frustrating because every other service works except this chrome sync.  And since we have deployed chrome to our 650+ users this is becoming a pain in the butt.

Anyone see this before.  Its almost like chrome is looking to see if the password has changed, and if it has it immediately says the credentials are out of date...

Thanks in advance!

-Dan

[Jay Lee]

Hi danstl,

  Is your password sync code chanigng the Google password on every single SSO login? If it is that is probably the issue, the password should only be synced if it has change since last login.

Jay

[danstl]

How should we handle this?  Would we have to pull the last login information from Google Apps, and then compare it to the last password change from AD?  Is that possible (i did not create our SSO, but I need to know what to tell the people that did).

Thanks,

-Dan

[Jay Lee]

How to handle determining when a user's password changes in AD is a bit out of scope for this group but I'd suggest the SSO application monitor the AD user's pwdLastSet attribute and only do password pushes to Google when pwdLastSet changes.

Jay

[danstl]

Why is it that chrome is the ONLY server that google uses that is not actually checking the login, but first checking to see the last time the password was changed....  It really drives me crazy that one product out of the entire mix is handing the authentication piece differently...