Search code examples
google-provisioning-apigoogle-reseller-apigoogle-admin-settings-api

Attempting to GET Google Apps Single Sign-On Signing Key via API


I'm receiving an interesting error from the Google Apps admin settings API when attempting to retrieve the Single Sign-On key for updating (creating) it the first time. We're looking to do this via the API only, but it appears as though the API is making the assumption the signing key has already been created client-side. The following GET request is failing with the error below:

GET https://apps-apis.google.com/a/feeds/domain/2.0/ruby-alphaz.co/sso/signingkey

The response error is as follows:

SimpleXMLElement Object
(
    [error] => SimpleXMLElement Object
        (
            [@attributes] => Array
                (
                    [errorCode] => 1408
                    [invalidInput] => 
                    [reason] => InvalidSsoSigningKey
                )
        )
)

I'm able to update Single Sign-On settings without a problem, but the signing key endpoint is causing problems. To be clear, no signing key currently exists for the domain, but the domain instructions are to attempt to retrieve the XML via the endpoint to ensure it has the proper id parameter set so I can follow up with a subsequent PUT response to create/update the signing key.

The documentation that I'm following as here:

https://developers.google.com/google-apps/admin-settings/#retrieving_the_single_sign-on_signing_key

I know for a fact that my Auth token headers are set properly as they work for other endpoints.

Any ideas?

Update (and Solution)

After conversing with Jay in the comments section of the below answer, it turns out the solution to the problem is as follows:

  1. If you perform a GET request to https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/signingkey and receive an XML response with the InvalidSsoSigningKey error, first ensure that you have enabled SSO via the https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/general endpoint.
  2. If you're sure that you've enabled SSO and still receive the InvalidSsoSigningKey error, it is likely because you do not yet have an uploaded signing key. While it isn't readily documented, you may perform a PUT request to https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/signingkey with the following format to create your signing key:

    <?xml version="1.0" encoding="UTF-8"?> 
    <atom:entry xmlns:atom="http://www.w3.org/2005/Atom" xmlns:apps="http://schemas.google.com/apps/2006"> 
        <apps:property name="signingKey" value="[YOUR_BASE64_ENCODED_CERTIFICATE_VALUE]" /> 
    </atom:entry>
    
  3. From now on, you should be able to successfully issue GET requests to https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/signingkey and receive a valid response. Future updates will need to utilize this GET response as it contains the proper id parameter.


Solution

  • I filed an issue about this back in 2009, feel free to star it:

    http://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=1527

    You need to enable SSO in order to retrieve the key.

    And yes, that means you can't check the key matches properly before enabling SSO.

    You don't need to do the GET before doing the PUT. Just create the XML manually. See how GAM does it:

    http://code.google.com/p/google-apps-manager/source/browse/trunk/gdata/apps/adminsettings/service.py#363