Nothing is more important to us than the security of your users'
data. We are emailing you because we have detected that your Google
Apps single sign-on (SSO) implementation may be vulnerable to a
theoretical security hole. We would like to emphasize that we have
not received any reports of this vulnerability being exploited.
In order to improve the security of Google Apps SSO, we have added a
requirement on the data your sign-in application (identity provider)
sends. You must update your sign-in application by the end of August
2008. The new requirement is described here:
http://code.google.com/apis/apps/faq.html#recipient
If your sign-in application is derived from our sample code, please
refer to the latest version of the sample code for the changes you'll
need to make to your own code. The updates to the sample code are
also described in the link above.
If your sign-in application was not derived from our sample code, e.g.
is a third-party identity provider software, please forward this
information to the developers of the identity provider software.
Important Notes:
- We will begin enforcing this new requirement on your sign-in
application by the end of August 2008.
- In the meantime, we will continue to accept the current responses
from your sign-in application so that your users can continue to sign
in to Google Apps.
- If you are unable to update your sign-in application by the end of
August 2008, please email .
- If you are about to deploy Google Apps SSO for new domains, you
will need to ensure this new requirement is met for those domains
prior to deployment.
If you have any questions, please email .
Thank you for your consideration.
The Google Apps Team
