How do I use SAML for SSO with AD for Google-Hosted Services?

We're a small-ish educational institution whose school email is through Google Apps for Education. We have contracted with an external vendor who is provisioning accounts for Google by getting a list of students from our AD who do not have an email account already provisioned. Once provisioned, the student authenticates to Google services by using their AD account credentials (which is how they access network resources while on campus).

I've been looking into saving a bit of $$ by bringing this process 开发者_StackOverflowin-house but have been struggling while seeking tangible examples of how to go about doing this. The documentation that I did find has a deprecation warning. Is SAML still how this authentication scheme would be handled? If so, can someone help point me in the correct direction for this?

I've looked through the similar questions and none of them really seem to help.

Python and .NET are accepted solution implementations here.

There are two ways for SSO authentication. SP-initiated IDP-initiated

For SP-initiated on google apps you need to:

* Created a certificate and a private key using openssl toolkit or any other tool.
* Upload this certificate to the Google Apps single sign on settings.
* Give login URL to your application etc.

After saving setting on google are done. Now you need to write a code that wil accept request token from google and after parsing send it back to google app.

For code on your side you will use openSAML libraries. You will also need a keystore(*.jks) in order to make SAML response signed.

These links will help you. SAML token help. See this answer.