Google Apps Premium Edition: which authentication mechanism to use?

Question

Our company has a web application that is only used internally by our employees. We also have Google Apps Premier Edition. We would like to make it so our employees can log into our private web application using the Google Apps account that they already have.

Requirements: We want to display our own login form. We don't want to pass the email/password in plain text through the internet.

Which authentication mechanism should we use to achieve this?

Note: our application is written in PHP using Zend Framework (if that matters).

Answer 1

I would look into some combination of OpenID and your domain users (i.e. only let those at domain.com can log in).

Google API

They also have libraries for PHP and other languages that you can leverage to make this happen.

EDIT:

Some more info

Answer 2

When it comes to integrate Google Apps and an internally used private system, we simply have two options.

1. Use Google as the authentication center. Modify the private system to authenticate at Google's server. We could use OpenID or AuthSub. Check http://code.google.com/apis/accounts/docs/OpenID.html and http://code.google.com/apis/accounts/docs/AuthSub.html for more information.
2. Use the private system as the authentication center. In this case, we have to implement SAML protocol in the private server and configure Google Apps's SSO settings. Check http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html for more information.

It is easier to accomplish SSO with the first method since there's already bunch of OpenID libraries out there. But, as you described in the requirements, you want to use your own login form. So I guess you have to go with the second method.

BTW, if your private system has to get or set information from Google, you may want to use OAuth for authorization. See http://code.google.com/apis/accounts/docs/OAuth.html for more information.