FYI – If you have not seen this yet, please review. It’s critical that you update all SSO code to reflect the new security requirements, otherwise, SSO will be turned off on this date. Contact us if you need assistance.
Hello Google Apps admin for <DOMAIN>, We recently notified you about a critical vulnerability involving your Google Apps single sign-on (SSO) implementation. Our records indicate that you are still at risk and must take action. Please correct this security risk immediately.For your protection, if you have not secured your sign-in application by August 28th, 2008 at 12:01 am Pacific Time, we will disable SSO for your domain. We would like to emphasize that we do not believe this vulnerability has been exploited, but we reserve the right to disable SSO for your domain even earlier if we receive reports that this vulnerability has been exploited for other domains before then. This will protect your data, but your users will be unable to access Google Apps. To secure your sign-in application, you must include the Recipient attribute in the SAML response.Â
If your sign-in application is derived from our sample code, please refer to the latest version of the sample code for the changes you’ll need to make to your own code. The updates to the sample code are also described in the link above. If your sign-in application was not derived from our sample code (e.g. it is a third-party identity provider software), please forward this information to the developers of the identity provider software. If you have any questions, please email apps-sso-support@google.com.
