Hi Vipin, If I understood your question correctly ( please correct me if I am wrong ): >> where Google will be the authentication for Apps integrated Ok, that's out of Gluu Server's territory. >> and then authenticated google user will be created in Active Directory Also out of Gluu Server's territory. Your org/admin will decide how they can 'sync' newly created users from Google into backend AD. >> and Gluu will talk to AD to send the SAML assertion. Yes, just create trust relationship inside Gluu Server with those SPs. If above assumptions are correct: - You need to configure Cache Refresh in your Gluu Server with your backend AD. Gluu Server will sync / authenticate against AD. - You need to create Trust relationship with those SPs; so authenticated users will go to SP through Gluu Server.

Vipin, I think we may need some more clarification on the design.. If you want to use Google to authenticate users for apps that connect to your Gluu server, you could simply use the [Google authentication mechanism](https://gluu.org/docs/ce/authn-guide/google/).

Here is what you can do with Google, Gluu, AD: Synchronize Users from AD to Gluu LDAP and configure oxAuth to point authentication requests to AD. Configure SAML 2.0 trust relationship with Google Apps with Gluu (oxTrust) as idP and Google Apps as SP. This will get you AD authentication to Google via Gluu SAML (shibboleth). You can then use GADS (Google Apps Directory Sync) to synchronize users/groups/OU structure from AD to Google Apps. You may or may not be able to authenticate 3rd party apps against your Google Apps logged in user in this manner using Google's oauth. OR (without Gluu or SAML at all): Google Apps Directory Sync + Google Apps Password Sync tool. I believe this option lets you use Google Apps as a cloud SAML or OAUTH idP for 3rd party apps, but your credentials are stored in the cloud. Almost all of this is probably outside of scope of Gluu support. There is a guide on the docs on how to configure trust relationship with Google Apps and Gluu though.

Thanks a lot for multiple answers. Basically what i understand that we would need to store data within Gluu Internal LDAP for any SAML transactions so that it can pass attributes. Thanks

>> Basically what i understand that we would need to store data within Gluu Internal LDAP for any SAML transactions so that it can pass attributes. Yes, store or 'cache'. Any identity provider would need that. The thing is.. if you use Cache Refresh; you don't need to store user's password in Gluu Server.