1. Google Apps Marketplace Authentication and Authorization Overview

2. Authentication for Marketplace Apps OpenID for SSO; or Google Account Password

3. OpenID

4. Authentication with OpenID Most Marketplace App supports OpenID This allows you to be the Identity Provider, if you choose to be (using SAML). Google will be the OpenID Provider If you currently utilize SAML based authentication for Google Apps, you will be the Identity Provider If you login into Google Apps using your Google Password, Google will be the Identity provider

5. Authenticating using the Google Password Certain Marketplace Apps require the users to login using their Google Password. These are mostly apps that get installed on the user’s desktop Issues: The app may use unsecure channel to transmit the credentials The “remember me” may store the password unencrypted The credentials may be used for unauthorized access Recommended Approach: Drive OAuth adoption for authorizing installed apps to access data residing in the Google Cloud

6. Authorization using OAuth OAuth is an open protocol that allows an installed app to access end user information from a Google Account without requiring the user to enter their credentials into the app or storing the credentials on the device. Google utilizes OAuth for granting 3rd party applications the access to data residing in user’s Google Account (e.g. GDocs, Gmail, GCaletc) OAuth provides for Delegated service authorization Full user control over authorized services

7. Where do Marketplace Apps store the data?

8. OpenID Provider (Google) Relies On Authenticates Google Marketplace Apps (Relying Party) user OpenIDIdentifier (URI/XRI) Uses May Access Data Stored in Google Cloud Installed Apps To Authorize To Access