Slashdot Mirror
Ask Slashdot: Single Sign-On To Link Google Apps and Active Directory?
trazom28 writes to seek answers to a problem faced by many businesses (and, as in this case, schools): "We are looking for a solution to a single sign on to coordinate Active Directory and Google. You can sync the passwords easily enough with Google Apps Password Sync, but ideally we would like the students and staff to be able to sign in once and be done. Additionally, the Google login requires the @domain.k12.wi.us so it would have to take the AD username, pass it along and tack on the domain to log into Google.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
What the hell is with people thinking they can dictate what kind of responses they get to summaries lately?
People will post what they post, regardless of your control-freak fantasies of filtering out the chaf.
I do not fail; I succeed at finding out what does not work.
http://www.lmgtfy.com/?q=ADFS+Google+Apps
Did you try Googling it?
https://support.google.com/a/answer/60224?hl=en
https://support.google.com/a/a...
I googled it.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
my company does this with vmware horizion
What you're looking for is called Active Directory Federation Services - it provides a SAML gateway for remote service providers to auth your users against your own directory, using kerberos tokens if you'd like, which is what you'll need for this sort of single sign-on to work correctly.
Not sure if Google Apps supports it (as it does require some programming work on their side to build in the support), but many other service providers do, and it works just fine.
Companies that register with any AppDirect-powered marketplace can sync user accounts with their Active Directory and use SSO with hundreds of products, including Google Apps. See http://www.appdirect.com
What will you do for the students who don't want Google tracking everything they do?
You need a solution that works without a Google login, so anything that requires tying them together is a non-starter.
This isn't "google hate", it's simple realization that not everybody wants to be forced into being tracked by advertising companies.
SAML v2.0 isn't easy...are you sure the GADS isn't enough?
http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
Use WAAD or Okta, or learn how to setup a proper SSO environment since both platforms you mention offer excellent SSO interop.
Google has a solution.
https://support.google.com/a/a...
http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
ADFS should do this...
http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx
You should have a look at either CAS 4.0 or Shibboleth as your SAML 2 provider. Both integrate well with Open LDAP and Active Directory.
You can use Active Directory and/or OpenLDAP and then simpleSAMLphp and link to Google Apps.
We do it this way:
1) RCDevs WebADM LDAP Directory (or in your case Active Directory)
2) simpleSAMLphp There's actually a good tutorial to integrate with Google Apps here: https://simplesamlphp.org/docs...
3) Google apps confitured for SAML 2.0
It took me about 15 minutes to set it up.
Any question feel free to ask.
Why would you sync rather just allowing federation? Just consume a SAML token through AD Fed, or an OAuth token via Google.
Never-ever place your real domain name use example.com
Google plays well with it and AD can be used as its back end. https://wiki.jasig.org/display...
https://support.google.com/a/answer/106368?hl=en
PS: If a question that is solved with one search in google makes to the home of slashdot, I don't want to live in this planet anymore.
Ceck out http://www.centrify.com/cloud/...
Is this the kind of thing that Auth0 solves?
Look at ssoeasy. There are others, but that was the solution we went with a couple of years ago. Minimal cost, maybe 2K. Up in running quickly, and it has just worked for us.
Minneapolis Public Schools did this - reach out to them and they can help you through. (mpls.k12.mn.us)
What you want is Pubcookie. I've configured Kerberos SSO across a network before and found pubcookie at a different job. Its a little tricky at first, possibly because of some of the thin or confusing documentation but its very good. Its also Free.
Pubcookie wiki link
How it works
Good leaders run toward problems, bad leaders hide from them.
Kind of ironic, but a possible solution. HTH.
http://azure.microsoft.com/en-us/pricing/details/active-directory/
Azure Active Directory is a comprehensive and high available identity and access management cloud solution. It combines core directory services, advanced identity governance and application access management. Azure Active Directory also offers a rich standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules.
Azure Active Directory is offered in three tiers: Free, Basic and Premium. For a detailed list of features, refer to the table below.
Azure Active Directory Free covers the cloud application access and self-service identity management requirements of task workers with cloud-first needs. Azure Active Directory Basic includes all the available free Azure AD capabilities and in addition provides group-based access management, self-service password reset for cloud applications, customizable environment for launching enterprise and consumer cloud applications.
Azure Active Directory Premium allows IT departments to effectively protect enterprise data and resources on any cloud with features such as synchronization with on-premises directories, group-based single sign-on to thousands of SaaS applications, machine learning-based security and usage reports, alerting and multi-factor authentication. Azure Active Directory Premium also empowers end users with self-service password reset, delegated group management and customizable environment for launching enterprise and consumer applications.
Azure AD Access Control enables centralized authentication and authorization for your cloud application by working with standards-based identity providers, including Active Directory as well as consumer web identities such as Microsoft Account, Google, Yahoo!, and Facebook.
Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT? Please hold off on any Google haters, that's a different discussion for a different forum.
Don't insult Google? Sure, but your sad devotion to that ancient active directory has not helped you conjure up the solution, or given you enough clairvoyance to find the correct answer. Don't try to frighten us with your Microsoft ways, Lord_trazom28
"First they came for the slanderers and i said nothing."
It does this already - at least with the paid version, maybe you should talk to Google?
The university I worked at until a few months ago was Google Apps, the login page was hosted on a university system available internally and externally, you were authenticated against the internal AD then redirected to the regular google gmail page with your @blah.edu email.
If you wanted to use a conventional email client ,you had to go through an extra step of setting the "Google side password".
You can enable Google 2-step authentication if you do not go the SAML v2/SSO route. Our domain with approx 40,000 active users has been a target of phishing attacks and may end up turning off SSO in our Google Apps domain.
I see a lot of people here pointing you to articles on how to set up a SAML IdP. I mean -- that is a start -- but you may still be confused on how to solve your problem. If I understand it correctly -- you want your users to be able to sign in using "username", but have "username@domain.com" passed on to Google Apps, correct?
First, if you don't know what "SAML", "IdP" or "SP" is, read this: https://developers.google.com/google-apps/sso/saml_reference_implementation
Then the process, no matter what IDP, is going to be similar.
1) Choose your SAML IDP (OpenAM? Ping? ADFS? Others?)
2) Set it up to authenticate your users using AD based on their username -- in other words it needs to match usernames/passwords that your end users provide on the login page based on the "sAMAccountName" attribute in MS AD.
3) You will need to exchange SAML metadata between Google Apps and your IdP.
4) When you import the Google Apps metadata to your IdP and configure the SP for Google Apps, configure the IDP to tell Google Apps that your username is the "mail" attribute in the Name Identifer -- or, if your mail attribute in LDAP does not have the correct @domain.com you need, then you could use the Active Directory "Attribute Editor" and just assign some random attribute the proper "Google ID" for each user. Then pass this attribute along to Google as the "Name ID"
The nice thing about ADFS is it is so closely tied with Active Directory, so step #2 kind of takes care of itself. A guide for integrating ADFS and Google Apps is here: http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
When that author gets to the part on "Select Transform an Incoming Claim from the Claim rule template drop-down:", I'd probably do it a bit differently. I'd instead do this:
* Select "Send LDAP Attributes as Claims"
* Send the "mail" attribute as outgoing claim type "Name ID" (or whatever attribute you want to use in LDAP for your Google usernames)
OKTA is a cloud SSO solution
come on man! dont post your real domain on open forums. use example.com
They paid $1mil for 4 servers to do the same thing.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Have you looked at Shibboleth? It's federated and can link across active directory and google apps no problem. Several major universities use it. https://shibboleth.net/
I know I'm kind of picking this apart unnecessarily, but you say, "Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT?" Why would it be one or the other, and why would this possibly be the Holy Grail of all IT?
Microsoft ADFS should be able to do this, there's a walkthrough here:
http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
And in the darkness bind them.
You may not want to hear it, but permanently branding your k-12 kids with a Google ID is a terrible fucking idea.
Don't be a douche, and don't ruin your kids privacy my making sure Google knows every fucking thing they'll do for the next 10 years.
User authenticates to machine & SSOs over to Google Apps & done. Since it seems that you're in Wisconsin, contact the IdP folks at UW-Madison: help@login.wisc.edu. They can likely assist you with setting things up.
https://www.okta.com
Use the Okta preview version. Free to link one service to your AD with unlimited users.
From the summary: "Please hold off on any Google haters, that's a different discussion for a different forum."
From msobkow: "People will post what they post, regardless of your control-freak fantasies of filtering out the chaf."
From the mods (to msobkow): "-1 Offtopic".
Nicely done, mods. That's what moderation is for: not to suppress ideas you disagree with, or silence people you dislike, but to keep conversations on topic and useful.
(And, yes, this post is off topic, but I had to say this and my karma won't notice the hit.)
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Hint: FERPA is not HIPAA
No, it's not, but that doesn't absolve the school system of its responsibilities under HIPAA, which applies to ANY system where there is reasonable foreknowledge of PHI transmission. HIPPA is not just applying to hospitals.
Statutes against murder are not traffic laws, but I still can't go murder someone by arguing that traffic laws don't apply to what I did.
There are two market leaders that do exactly what you are looking for here. I'd recommend Okta, the other is OneLogin. Both are worthy of your review. I speak from experience having used both for over a year. Both are had on a per-user per-month basis, and in fact both offer at least a couple of application connections for free (as in beer) so you can likely have your solution for no cost.
The basic architecture is that a very lightweight Active Directory Agent is installed on a member server in your AD domain. That agent synchronizes the AD user and group objects from your AD (you can select from the top level or only certain sub-OUs). All configuration is done using the web interface which is where you configure the SAML relationship with your application providers (Google, etc) and where you choose which AD users have access to the applications you're connecting to.
If users are on your network and signed in to active directory, they won't be prompted for passwords when they access SAML / SSO enabled applications. Very simple from a user's perspective and easy to manage from an IT standpoint.
I'd assumed the holy grail comment was referring to real SSO, as opposed to using the same credentials everywhere but entering them for each individual service.
Stormpath has Active Directory synchronization and google oAuth2 support. Therefore the platform maintains things synchronized.
In short, anything happening in google and Active Directory will be in synchro automagically. For extra magic they provide an API and a web interface too.
https://stormpath.com
Hospital systems use Imprivata for Single Signon. Whether it works in his scenario, I don't know but I would contact them.
I love how everyone is trying to duct tape their horse carriage to an automobile because of the fallacy of sunk cost. I remember when all the "computer hacking books" talked about Novell NetWare because of all the pimply teenagers who wanted to hack their GPA.
Take your entire IT infrastructure and throw it in the garbage. Replace every computer that can be replaced with ChromeOS ChromeBoxes.
The ones you can't: Norton Ghost to manage the workstation hard disk images. DeepFreeze to minimize the frequency of needing to reflash the disk images. Install the Chrome web browser and use User Access Policies to disable everything but the web browser and the ability to mount USB flash drives. Disable Autorun(obviously).
Then: worry about the school website/webapp and quit dicking around with infrastracture that meets the needs of 0.1% of your customer base which is occupying 95% of your resources.
This "Ask Slashdot" should be about data migration to the Google Apps and what other academic Google Apps/Chrome OS users are doing in terms of grades, attendance, and administrative backend.
Doing anything else is just chasing sunk costs and trying to shoehorn yesterdays paradigms in to having a role in the correct solution of the past ~3 years.
http://azure.microsoft.com/en-us/documentation/articles/integration-azure-google-apps/
Beyond that you'd need ADFS setup which is it's own project. A few servers in your DMZ and on production to get it done.
HIPPA is not just applying to hospitals
This just in: self-touted HIPAA expert misspells "HIPAA". This doesn't disprove his statements, but undermines his credibility to the point that every claim he makes should have one or more citations provided.
HTH!
I have done several SSO integration projects with various technologies and while I haven't attempted the specific case you are trying, I can offer some general advice:
Making some assumptions about your use cases, I am imagining a scenario where you have some sort of portal secured using AD credentials and you would like to allow access to Google Apps from that portal.
In this scenario, Google Apps would act as the Service Provider, The Identity provider would be AD with ADFS.
Google supports SAML 2.0 SSO (https://developers.google.com/google-apps/sso/saml_reference_implementation) as does ADFS (http://technet.microsoft.com/en-us/magazine/2006.07.simplify.aspx)
It looks like this has been done before (http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/) albeit with a non-AD identity server (one would think that using AD would simplify things but...)
Start with a quick dive into SAML2.0 and concentrate on the IDP initiated scenarios (http://saml.xml.org/wiki/idp-initiated-single-sign-on-post-binding)
With any SSO integration, start testing early and plan on lots of testing. If the SP partner site supports testing with plain-text SAML responses and assertions, start with those and make sure federation works before adding the encryption layer.
Because that can't happen without SSO...
On the education side of IT, your end users range in age from 4 to 18 (students) and then staff/adults. The simpler you can make things, and make them work, the better. For example, a teacher will have 20+ kids in the room, need to get them all signed in to AD, then signed into Google/GAFE. Depending on the age of the group, this can be extremely challenging, especially if usernames are different, and passwords are different. If they could sign in *once* with a short username, and standard password - then be able to dive right into what they need, we'd have more time for the teachers to do what they need to do, and less time for them to be techs. SSO has been something that's been elusive for years, both in public and private sector, and it's always *sort of* worked, but not quite, and not reliably. I hadn't looked at it for some time, but it came up again recently, hence my question to /.
{} ------ When I think of a good sig, I'll put it here
SSO with a single credential is a Holy Grail, it's a Holy Grail for Users, but not necessarily IT.
It is really nice, but it can also fraught with workflow issues, depending on the applications. Many support Single Sign ON, but not necessarily Single Sign OFF -- which is a hairier problem. But it is much, much easier for the users to have to maintain a single credential.
For IT, however, it's a different story. The problem never necessarily goes away.
On the one hand, you have Shared Credential -- where you have to log in manually to everything, but the credential is the same. LDAP servers fill this role admirably. IT likes this too.
But in the SAML SSO world, systems can be more loosely coupled. In a federated world of multiple domains, where users of different groups, even 3rd parties have access to applications, it gets even more fun.
Now, IT has to manage the User Provisioning problem. That is, say they have 5 apps they support. When a new user is added to the SSO system, that user may well need to be created, individually, in to the 5 separate applications. And IT gets to manage all that complexity, getting the roles and permission correct, etc. etc.
So, from an IT perspective, SSO may not buy much in terms of making the system landscape easier to manage.
The best scenario is a combination of SSO with Share Credential. An SSO system that is backed by the same LDAP server that all of the apps use. THAT it's the IT Holy Grail. One stop shopping for the whole kit. But in the ends it involves two disparate systems, the SAML IdP and the credential store.
You are correct - having elementary students type the @domain.etc.yadda.yadda that GAFE requires can be painful for the teaching staff to work through. I appreciate your comments and information - really has given me a lot to read over and I'm thinking that may just do the trick. Thank you!
{} ------ When I think of a good sig, I'll put it here
I'm guessing Jon Dough threw privacy out the window, with his pants.
Our university uses CAS SSO by JASIG. https://wiki.jasig.org/display... . It's nice because anyone can use it without having to get IT involved for their own pet projects and they never get a secret to maintain or permissions to setup like with AD or LDAP.
We use Okta (okta.com) to do SAML based SSO for Google Apps, as well as a ton of different applications. It works for a lot of things from Peoplesoft to NewRelic to Jira, basically anything that supports SAML.
We've done exactly that locally -- users logged into the AD domain are passed into Google Apps automatically while anyone working from home, accessing from mobile devices, etc. is passed on to a CAS Single Sign On page where they can sign in and continue to access other SSO'd services. As others have said, anyone leaving the system unattended will be vulnerable, but, then, at varying levels of effort unattended physical access can always result in compromise.
Investigate:
CAS - https://wiki.jasig.org/display/CAS/Home
CAS Google Apps Support - https://wiki.jasig.org/pages/viewpage.action?pageId=6063484 [be sure to note the non-username attribute details linked at the bottom]
CAS SPNEGO Support - https://wiki.jasig.org/display/CASUM/SPNEGO
GADS is nice - we make AD changes, and on the sync, Google gets them. That part rocks. SSO itself would be ideal, however. Starting to read though and it does look like a good challenge. From what I'm reading so far, ADFS may do what is needed. Lots more research needed though before I fire anything in.
{} ------ When I think of a good sig, I'll put it here
Thank you - I'm reading though it now.
{} ------ When I think of a good sig, I'll put it here
Thank you - I will!
{} ------ When I think of a good sig, I'll put it here
Nuff' said.
Why did this pretentious little faggot link to "Holy Grail"?
Disclaimer: I work for Oracle but not in sales nor in any branch related to this product.
At the office (where I work as a senior iOS / OS X native app developer), we have Oracle SSO running on all of our internally-deployed apps, including web sites, desktop apps, mobile.
OP talks of holy grail of IT so, while I dont know of alternatives, based on my experience, it's quite possible to have a decent single sign-on system.
Obviously, Oracle's offering is not free (as in beer speech) at 85$ a seat. It's best to contact the sales rep to see if any bulk or student pricing apply (I do not know as I'm not in sales).
Have done it a couple of times and it's not that hard:
http://www.huggill.com/2012/01...
WOW! Your specific use case is the holy grail of all IT? Guess I should throw this perpetual motion machine away.
Centrify, Ping Identity, Bit Glass and others can provide SSO capabilities between your core infrastructure (AD) and the cloud. Some include sync tools and other provide nearly full ADFS implementations. They can also provide 2FA and other authentication mechanisms. Centrify can even give you MDM (Mobile Device Management) for 802.1x like functionality. Bit Glass can do some very cool proxying that gives you DLP style water marking of stored files on the cloud. Etc etc etc.
I know I'm kind of picking this apart unnecessarily, but you say, "Has anyone seen any solution for this that actually works, or is this the Holy Grail of all IT?" Why would it be one or the other, and why would this possibly be the Holy Grail of all IT?
You have to remember. Most Windows admins don't step out of their world much, so "all IT" is really a subset of what the rest of us know.
You can use open idm to provsion uaers at goolge And saml to do the signin.
This is actually not that hard when you add Azure Active Directory into the solution.
Look at this step by step guide: http://msdn.microsoft.com/en-us/library/azure/dn308591.aspx
If you want real SSO - than you need to add ADFS to your Active Directory domain. You will even see the screenshot in the documentation where you can select your ADFS solution to be used with Azure AD.
Currently there are a few hundred different products listed in Azure AD. So if you setup the infrastructure with Azure AD once -- you simply click all other services you want to add to your SSO solution e.g. Dropbox or Twitter
Get in contact with Microsoft and ask them for a good Office 365 / Azure AD PreSales consultant. I regularly demo this to customers and with a bit of practice and understanding on what options you have and how the components fit it each other - a typical lab setup just takes a few hours.
On the education side of IT, your end users range in age from 4 to 18 (students) and then staff/adults. The simpler you can make things, and make them work, the better. For example, a teacher will have 20+ kids in the room, need to get them all signed in to AD, then signed into Google/GAFE. Depending on the age of the group, this can be extremely challenging, especially if usernames are different, and passwords are different. If they could sign in *once* with a short username, and standard password - then be able to dive right into what they need, we'd have more time for the teachers to do what they need to do, and less time for them to be techs. SSO has been something that's been elusive for years, both in public and private sector, and it's always *sort of* worked, but not quite, and not reliably. I hadn't looked at it for some time, but it came up again recently, hence my question to /.
I think your example is a clear illustration of technology getting in the way of teaching and that technology should be re-evaluated for that use case. If the teacher is spending a third or more of class time getting students signed on, something is wrong on a more fundamental level than the sign-on problem. Why are we using technology to do this and what is the real value for using it in this case? Those should be the concerns and that's really what's being missed.
I have worked supporting technology in higher education for twenty years and I see a rush to use tech to "enhance" or supplant proven methods of teaching all the time, with no evidence of actual benefits other than anecdotes and "it must be better because it's new" arguments. When evaluated further--upon implementation and through assessments--a majority of these experiments in tech enhanced learning yield no additional value over classical methods and in some cases have had negative effects like the class time lost to tech issues that could have been used to cover new topics or go into greater detail. Now, there are some clear advantages to tech in teaching some concepts, e.g., where visualization in two or three dimensions allows for clarity of understanding, but the overuse of tech in education that sacrifices covering content needed to advance is far too prevalent and is hurting our students.
haven't tested personally, but it looks good, and doesn't require any "roll-your-own" crap.
http://azure.microsoft.com/en-...
what Anonymous Coward just said.
That's kind of the point of this venture - if we can streamline the login process, that in turn would take that waste of time out of the equation and they could focus more on using the technology more effectively.
{} ------ When I think of a good sig, I'll put it here
You shouldn't stereotype. I've been in IT for over 20 years professionally, another 10 as a hobby prior. In past lives I've been everything from NetWare Admin, support of OS/2 before and after Warp, dabbled in Unix shells, and have used and supported various flavors of Windows from it's early days. I consider myself pretty well rounded and open to suggestions and change in the IT realm. The district where I work happens to run AD. I've brought myself up to speed on it, and feel pretty comfortable with it, but I'm not one of the "AD or Bust!" types that you may have run into in the past. Those folks just irk me :)
{} ------ When I think of a good sig, I'll put it here
In a perfect world with unlimited funding, that would be easy. It may get there eventually. For now, we need both and need to make both work.
{} ------ When I think of a good sig, I'll put it here
Ok, I'll bite. Just because it was fun? Why not? Sorry if you took my hyperlink to a wikipedia article personally.
{} ------ When I think of a good sig, I'll put it here
You shouldn't make absurd statements that indicate your specific problem in your specific situation is The Holy Grail For All IT Everywhere. Especially when your solution to google AD integration is the top search result when googling for an answer.
Deciding that your problem is so important, lacking the googling skills of an average elementary student, and thinking it is acceptable to get dozens of other people to do the research for you when anyone competent in your field would consider it trivial all while having a thinly veiled pompous attitude really doesn't reflect well. It is not stereotyping. You really are what the other poster describes: out of touch.
It's an outstanding web sso product. A few clicks and your set
Check out this guide: http://msdn.microsoft.com/en-us/library/azure/dn308591.aspx
Just connect your AD using the new Azure Active Directory Sync tool, add ADFS to you setup and use Azure AD to connect hundreds of different services into you SSO solution.
I don't understand why you're trying to use two distinct systems that were not designed to work together when there is a very easy solution already there?
The solution you're looking for will have to be custom programmed and it doesn't exist yet.
That is the answer. if you're prepared to hire a programmer or programming house to do it for you... vaya con dios.
If that were my show, I would just install an exchange server. MS haters won't like that... but if you're going with an active directory already then what exactly is the beef here?
I think you should use the tech the way it is supposed to be used unless you're prepared to deal with the consequences of not doing that.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I've done this a couple of ways...
I first tried Shibboleth, which was what some Google Apps consultant company wanted to sell me installation services for. This seemed okay, but it was rather buggy when I tried it 5 years ago. I'm sure it has come a looong ways since.
Then I went to Ping Identity. This works really, really well, but is also pretty expensive. My Google Apps migration project was running out of time, so I bit the bullet and spent the remainder of my budget on this service. If you are *only* interested in SSO for Google Apps, I wouldn't spend the money. If you have a lot of systems that you'd like to use SSO with then I would give these guys a look.
Lastly I implemented Microsoft's ADFS. This was simple enough to setup, free, and worked like a charm. I'm sure some googling will come up with a number of how-tos for setting up ADFS with GAPPS.
I'd also take a look at OneLogin. I have not used them myself, but I've heard good things.
Why not use Windows Azure Active Directory and the Pre-Integrated Applications which include Google Apps. This can be configured to handle both Authentication into Google's platform as well as provisioning to create/manage users out of Active Directory. Just search for Google here:
http://azure.microsoft.com/en-us/marketplace/active-directory/
You would have to sync users into Microsoft's Azure AD cloud (free):
http://msdn.microsoft.com/en-us/library/azure/dn790204.aspx
And you'd want to set up Federation for a true SSO experience (as long as you implement Windows Integrated Authentication):
http://social.technet.microsoft.com/wiki/contents/articles/9082.office-365-and-adfs-active-directory-federation-service-installation.aspx
This is not a "Holy Grail", and VERY doable. I'm honestly very surprised that the Slashdot community is so unaware of these services.
gives you single sign on to GoogleApps, but the AD password is never synched to Google (uses a saml-assertion). Keeps your passwords where they belong
Would have been a better title for this fetid attempt of a post. Why is OP not unemployed?
Are parents comfortable putting all their childrens' information into the cloud?
I honestly don't like that everything my child did during K-12 would be impossible to delete, accessible by subpoena as an adult, can and will be used by cloud providers to track EVERYTHING!
Here is a link of information on Oracle's Single Sign on Solution, should you have any questions feel free to reach out and I can walk you through the in's and out's of this solution.
http://www.oracle.com/us/products/middleware/identity-management/oracle-enterprise-sso/overview/index.html
Danielle.Koelliker@oracle.com
PS I am not an anonymous coward, I just dont feel like dealing with creating a name for myself for this forum, I hope this helps, good luck! :)