Is it possible, with Google Provisioning API, to set an expiration date to the password? Or to check when the password was set?
<apps:login userName="NewUserName"
password="51eea05d46317fadd5cad6787a8f562be90b4446" hashFunctionName="SHA-1"
suspended="false"/>
According to the protocol example there are only few fields but maybe some other fields are hidden like in other apis.
Hate to be the bearer of bad news, but no there is not.
What you could do, is do a SSO but against Google Apps.
Most of the documentation about SSO asumes that you need to authenticate against LDAP/Ad. But I have developed a few that authenticate directly against Google.
There are 2 reasons: 1 - clients hate the "non-corporate" login screen 2 - I can enforce password expiration (part off the SSO is developing the password change)
In theory, you could develop this in App Engine.
Good luck!