Two links that may be relevant to this:
http://googlecode.blogspot.com/2009/11/hybrid-onboarding.html
http://code.google.com/apis/accounts/docs/OpenID.html

Marlon Pierce's post on using Google OpenId with openid4java:
http://communitygrids.blogspot.com/2009/12/quick-guide-to-using-googles-openid.html

Try other providers to see if this is a google-specific problem or not. See:
http://openid.net/get-an-openid/

Another good test would be to test it with the new OpenId support in the Shib
IdP:

https://spaces.internet2.edu/display/SHIB2/IdP+OpenID

Email sent asking if there is a testshib implementation with openid support.

(In reply to comment #3)
> Try other providers to see if this is a google-specific problem or not. See:
> http://openid.net/get-an-openid/

Verified GS-CA OpenId works with:
 Blogger: vwelch.blogspot.com
 MySpace: www.myspace.com/vonswelch (resolves to
http://www.myspace.com/von_welch)
 AOL: openid.aol.com/vonswelch

Suddenly this is working for me (and Jim) using an openid of:

https://www.google.com/accounts/o8/id

Not sure why is working now. I cannot think of anything that has changed on the
GS-CA end.

The resulting UserId is, uh, interesting:

UserId   
https://www.google.com/accounts/o8/id?id=AItOawmkHXcP0r7EcetS_1gR-5rmegCtAraGKww
IdP    https://www.google.com/accounts/o8/ud

From looking at Marlon's post (comment #2), looks like the email attribute
contains an real email address, which would be a much friendlier username.

I'm not currently pulling any OpenId attributes into the session, so I don't
know I'm getting the same attributes as Marlon.

In case problems come up with Google again, capturing what some interactions
with Google look like when things are working:

% wget --no-check-certificate https://www.google.com/accounts/o8/id
...snip...
% cat id
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
  <XRD>
  <Service priority="0">
  <Type>http://specs.openid.net/auth/2.0/server</Type>
  <Type>http://openid.net/srv/ax/1.0</Type>
  <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
  <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
  <Type>http://specs.openid.net/extensions/pape/1.0</Type>
  <URI>https://www.google.com/accounts/o8/ud</URI>
  </Service>
  </XRD>
</xrds:XRDS>
% wget --no-check-certificate https://www.google.com/accounts/o8/ud
--14:11:32--  https://www.google.com/accounts/o8/ud
           => `ud'
Resolving www.google.com... 209.85.225.105, 209.85.225.104, 209.85.225.106, ...
Connecting to www.google.com|209.85.225.105|:443... connected.
WARNING: Certificate verification error for www.google.com: unable to get local
issuer certificate
HTTP request sent, awaiting response... 400 Bad Request
14:11:32 ERROR 400: Bad Request.

(In reply to comment #6)
> Suddenly this is working for me (and Jim)

OK, the issue is that Google OpenID does not work for me when I'm running the
GSCA on my mac, but does when the GSCA is running on shibber.

I'm guessing it has something to do with the fact that the hostname I'm using
for my mac is not in the public DNS, just in /etc/hosts, and Google is relying
on that somehow.

Closing this bug since basic openid authentication with Google works.

Note that to get nicer attributes, such as email address, apparently Attribute
Exchange is needed. See Bug 6913.