More information about the Underscore mailing list

[_] Detecting Google SSO ability

Matt Hamilton matth at
Tue Nov 5 10:35:42 GMT 2013

Hi all,
  Just thought I’d see if anyone else tackled this before I do. We have a client who wants to use Google as an SSO option for their intranet. We’ve gone ahead and implemented that as a test which was pretty easy and just a case of installing the right Plone plugins to do OAuth (actually we are using Velruse to abstract the SSO bit).

So we now have a link on the intranet login page that says ‘Login via Google’ and they can click on it and it takes them via Google and back (prompting for Google credentials if necessary).

Now the client has come back saying ‘We thought it would be automatic, and no need to click on a link?’. Now, the issue is that the people with Google Apps access is only a small (but vocal) fraction of the overall userbase. Now, there would be no way to ‘detect’ that they were already authenticated via Google, as we would not be able to see the cookies google has set.

So the only two options I can think of are:

1) They do as above first time, and *we* set a cookie when they successfully return from Google saying that they are google-sso-able and so next time we can optimistically auto-redirect them via the Google login process

2) Attempt to redirect in the background somehow. We’ve done this previously with Kerberos in that we have a kerberos protected small JS file with a redirect in it. If the browser is able to load that file (i.e.. successfully authenticates via Kerberos) then the redirect happens. Otherwise they stay on the login page and manually type in credentials. I don’t think this approach could work with OAuth as it may require the user to fill in credentials on another site (google) i.e. can’t be totally in the background.

Any other ideas? Anyone else solved anything like this already? Or know of any cunning tips, tricks, or hooks I can use to detect if someone is/can authenticate via Google?


Matt Hamilton, Technical Director
Netsight Internet Solutions Limited
Tel: 0117 90 90 90 1 Ext. 13

Registered in England No. 3892180
Registered office: 40 Berkeley Square, Clifton, Bristol, BS8 1HU