Is it possible to achieve SSO with the built-in OpenId on App Engine? I've been trying to integrate a Marketplace app and get the user logged in when coming from Google Apps (the admin panel or universal navigation). I failed miserably, then now I found this:

"The one exception to this is applications which do hybrid OpenID/OAuth — whitelisting does not currently work with this approach." (from here)

I assume that I have to implement OpenId using a library instead of using the built-in one to achieve SSO with Google Apps in my app? Or if it is possible with built-in OpenId, is there an example anywhere that shows how to do this?

Later Google posted an article about how to do it in Python:

http://code.google.com/googleapps/marketplace/tutorial_python_gae.html

The summary is:

• You must whitelist your "OpenID realm" (the app domain) in the Marketplace manifest XML.
• The entry point used for the Google's universal navigation must contain the current Google Apps domain.
• The entry point in your app redirects the user passing the Google Apps domain as federated_identity.

For example:

from google.appengine.api import users

# [...]

login_url = users.create_login_url(dest_url='http://my-app.appspot.com/',
                                   _auth_domain=None,
                                   federated_identity=google_apps_domain_name)
self.redirect(login_url)

This worked for me in Java:

Set<String> attributesRequest = new HashSet<String>();
String loginRealm = "http://myapp.appspot.com"; //Important that it is exactly the same as in application-manifest.xml, watch out for trailing slashes.
String destinationURL = req.getRequestURI() + "?" + req.getQueryString();
String federatedIdentity = null;
String authDomain = req.getParameter("hd"); //hd is the default parameter name. Contains the google apps domain name of the user logging on. example.com for example.
String loginUrl = userService.createLoginURL(destinationURL, federatedIdentity, authDomain, attributesRequest);     

Make sure to include

<Edition id="free">
    <Name>Cloud App Studio</Name>
    <Extension ref="navLink" />
    <Extension ref="realm" />
</Edition>

in the application-manifest.xml. That is, if it's free. The important part is to include the ref to realm.

Err, I haven't got the full scoop on this feature, but I do use both JanRain Engage (which Stackoverflow uses) with GAE apps. I think openid4java could do the job as well.

you didn't specify which language you are using. if it is java there is google library for openid+oauth.

http://code.google.com/p/step2/

Did you already know this link?

UserService userService = UserServiceFactory.getUserService();

if (userService.isUserLoggedIn()) {
  User user = userService.getCurrentUser();
  /* ...Do something with user.getFederatedIdentity(), which is the OpenID URL. */
}