Single Sign-On

From the Apps Marketplace

An application listed in the Google Apps Marketplace comprises a number of extensions. These extensions can include universal navigation links and OpenID realms. If an application specifies an OpenID realm extension and a user logs in to the application via a URL that matches the specified realm, then the user is signed in via Single Sign-On using his Google Apps credentials and does not see the traditional OpenID authorization screen.

When a user logs in via this method, the web site has access to information, including name and email address, about that user.

To see which OpenID realms are specified by an application, open that application's Settings page in the Google Admin console.

Google Apps for Business and Education: Regardless of whether you have enabled or disabled OpenID for your domain (Dashboard > Security > Advanced settings in the Admin console), if an application identifies OpenID realms, then your users can sign in to the application via those realms. In this case, the whitelisting of the realm overrides the OpenID settings in the Admin console, and the realm is whitelisted under all circumstances.

From the Admin console

An application listed in the Google Apps Marketplace in the Admin console can access specific data granted at install via OAuth2. With that access, an application may automatically sign in users if they navigate via the Universal Navigation URL or browse to the app directly. In either case, the application will be able to identify a user with their Google ID and/or domain email, which enables the application to access additional profile data like Profile Picture and any data access granted by the admin and/or user.

There are certain types of applications designed for complex administered workflows, such as synchronization of identity systems, that may require the ability to act on the behalf or access data of any user in the domain. These applications might still implement SSO but note they provide access to the application with every users data that was granted.