FYI – If you have not seen this yet, please review. It’s critical that you update all SSO code to reflect the new security requirements, otherwise, SSO will be turned off on this date. Contact us if you need assistance.
Hello Google Apps admin for <DOMAIN>,
We recently notified you about a critical vulnerability involving your
Google Apps single sign-on (SSO) implementation. Our records indicate
that you are still at risk and must take action. Please correct this
security risk immediately.
For your protection, if you have not secured your sign-in application
by August 28th, 2008 at 12:01 am Pacific Time, we will disable SSO for
your domain. We would like to emphasize that we do not believe this
vulnerability has been exploited, but we reserve the right to disable
SSO for your domain even earlier if we receive reports that this
vulnerability has been exploited for other domains before then. This
will protect your data, but your users will be unable to access Google
To secure your sign-in application, you must include the Recipient
attribute in the SAML response. Learn more here:
If your sign-in application is derived from our sample code, please
refer to the latest version of the sample code for the changes you’ll
need to make to your own code. The updates to the sample code are
also described in the link above.
If your sign-in application was not derived from our sample code (e.g.
it is a third-party identity provider software), please forward this
information to the developers of the identity provider software.
If you have any questions, please email firstname.lastname@example.org.