In search of a better way, I came upon the mod_auth_openid Apache2 module, which uses OpenID to implement user authentication for Apache2. If you're curious about how to implement the Apache2 OpenID module, here's how we got things to work.
1. First, you need to make sure you've enabled OpenID Federated Login on your Google Apps domain. See this link (item #1) for more information.
2. If you're running Ubuntu v10.04, the mod_auth_openid that comes with the package is v.3, which doesn't include the AuthOpenIDAXUsername feature added in v0.6. You will need to download and compile your own version of mod_auth_openid at: http://findingscience.com/mod_auth_openid/releases.html You can also fork a copy of the source at: git://github.com/bmuller/mod_auth_openid.git
3. You'll need to have a minimum these packages to install mod_auth_openid. Without automake, you'll be unable to run the run_autogen.sh shell script that has other dependencies. Curl (v4) needs to be installed, as well as the libopkle-dev package.
sudo apt-get install automake sudo apt-get install autotools-dev sudo apt-get install libtool sudo apt-get install libtidy-dev sudo apt-get install libcurl4-openssl-dev sudo apt-get install libopkele-dev
Your installation would then be:
./autogen.sh ./configure make
4. The next step is to run autogen.sh, configure, and make the mod_auth_open code. Once you've successfully compiled it, you need to copy src/.libs/mod_auth_openid.so to /usr/lib/apache2/modules. Your Apache2 configuration needs to look like:
<Location "/"> LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so AuthType OpenID require valid-user AuthOpenIDTrusted ^https://www.google.com/accounts/o8/ud AuthOpenIDAXRequire email http://openid.net/schema/contact/email @yourgoogleappsdomain\.com AuthOpenIDSingleIdP https://www.google.com/accounts/o8/id AuthOpenIDAXUsername email AuthOpenIDSecureCookie Off # off for now </Location>
The AuthOpenIDTrusted and AuthOpenIDSIngleIdp ensure that the Google Apps will be the only trusted Identity Provider (IdP). The OAuthOpenIDAXRequire allows you to retrieve the Google Apps email using the http://openid.net/schema/contact/email attribute to request the user logging in and forcing the regex to match that of of your Google Apps domain. The latter required a bit of trial and error after reading through the Getting Started documentation from Google to figure out.
There are other installation details about getting the plugin setup, but hope this gives an intro about how to take advantage of some of the newest features of the Apache2 OpenID module!