It would be so great if I could just avoid all the API junk, and install a program on one of my servers that would actively monitor AD and G-Apps and sync stuff between them. I could just create special admin accounts in both AD and GApps for this program to use.
Optionally, it could offer a web portal for people to reset/recover there passwords.
Does anyone know of a program like this? I would prefer a Windows program with a nice installer.
Is this too much to ask for?
Yes, in many ways it is. Passwords in both Google an AD are stored using a one way hash. The hashes between the two are not compatible. If you do not want to accept the risk of storing a reversible password in the AD then your only choice is to use the SSO solution. Unfortunately the SSO solution only works for the web. The SSO option does not work for imap/smtp/xmpp authentication.
None of the tools that speak SAML are simple to setup. As you said, usually it takes setting up a somewhat complicated web stack.
See my answer here for a description of what our organization did.
Here is a password filter that solves the synch problem. http://code.google.com/p/sha1hexfltr/ You could then use the google directory sync tool
