We've signed up for the 30 day trial of Google Apps for Business. When you create your domain you get a unique login url like "www.google.com/a/ourdomain.com
By default the browser offers to cache the user's credentials, whether they login at that url or at just plain old www.google.com
. There is no practical way to prevent browsers from offering to cache user credentials at all those portals. I cannot depend on my users to login at our custom portal -- I have to assume they will login wherever it is most convenient, and let the browser cache their credentials, whether they're at home, at Starbucks, at a hotel, etc.
Google support says they can't change this except on our custom login page, which they did at my request (but I don't have direct control over that). They want me to lock down the browsers, which is impractical.
Anyone know how to make this more secure? Do I need to be looking at SSO and Active Directory Federation Services? Or would SSO only work on our custom login page and not all the other potential Google login portals?