Skip to content
BlokSec Docs

Google Workspace

BlokSec can be configured to support passwordless login to your Google Workspace, and also supports provisioning.

Authentication Configuration

Section titled “Authentication Configuration”

The BlokSec / Google Workspace authentication integration enables strong, passwordless authentication via the SAML protocol. Configuration involves a few simple steps on both the BlokSec admin UI and the Google Workspace admin console.

Create Application from Template

Section titled “Create Application from Template”

  1. Sign into BlokSec admin UI as a user with admin privileges for your tenant

  2. On the main dashboard, click the Add Application drop-down and select Create From Template, and select Google Workspace

  3. Complete the application details as follows and submit:

    • Name: Google Workspace (or your desired application name — we will assume this is called ‘Google’ for the remainder of this article)

    • Entity ID: https://www.google.com/a/<your_domain>/acs

    • NameID Source: Account name

    • Assertion Consumer Service: https://www.google.com/a/<your_domain>/acs

    • Name ID Format: EmailAddress (keep default value of EmailAddress)

  4. Click Submit to save the configuration

  5. Click View Cert and then select Copy. Paste the certificate in a text editor of your choice and save the file as BlokSecGoogleCert.pem

  6. Make note of the SSO Uri as it will be required when configuring Google Workspace

Google Workspace Admin Console

Section titled “Google Workspace Admin Console”

  1. Sign into the Google Workspace admin console as a user with admin privileges for your tenant

  2. Navigate to Security > Setup single sign-on (SSO) with a third party IdP

  3. Complete the identity provider configuration with the following values (adjusting if required to meet your desired behaviour):

    • Sign-in page URL: Copy / enter the SSO Uri noted in step 6 above

    • Sign-out page URL: https://mail.google.com/a/<your_domain>

    • Verification certificate: Upload the certificate file saved in step 5 above

    • Click Save to apply the configuration changes

  4. Send your users the following URL to login via passwordless: https://mail.google.com/a/<your_domain> (for example, internally at BlokSec we use https://mail.google.com/a/bloksec.com)

Provisioning Configuration

Section titled “Provisioning Configuration”

When provisioning support is configured, you are able to create Google users in one step using the BlokSec admin console rather than having to create them in Google and then having to create a corresponding account in BlokSec.

Google Cloud Console

Section titled “Google Cloud Console”

  1. Log into the Google developer console at https://console.developers.google.com/start

  2. Create a new project, and give it a name (e.g., BlokSec API Access)

    Google Cloud Console create project dialog

  3. Then provide the project details:

    Google Cloud Console project details form

  4. Click on Credentials

    Google Cloud Console credentials menu item in left navigation

  5. Click on + CREATE CREDENTIALS and then select OAuth Client ID

    Google Cloud Console create credentials dropdown

  6. If you have not already done so, you will be prompted to create a consent screen:

    a. Click the CREATE CONSENT SCREEN button

    Google Cloud Console create consent screen prompt

    b. Select Internal

    Google Cloud Console consent screen type selection with Internal selected

    c. Provide an App name (we have used BlokSec Provisioning Integration in the example)

    Google Cloud Console consent screen app name field

    d. Leave the scopes blank

    Google Cloud Console consent screen scopes page

    Click SAVE AND CONTINUE then BACK TO DASHBOARD.

  7. For Application type, select Web application

    Google Cloud Console application type selection showing Web application

  8. Provide a name (we have used BlokSec Provisioning Integration in the example) and provide the following values for authorized URIs:

    • Authorized JavaScript origins: https://api.bloksec.io

    • Authorized redirect URIs: https://api.bloksec.io/oauth2callback

      Google Cloud Console OAuth client ID creation form with authorized URIs

    • Click CREATE to finish - you will be presented with a confirmation dialog; click DOWNLOAD JSON and save the file locally for use in the BlokSec Admin UI

      Google Cloud Console OAuth client created confirmation dialog with download JSON option

An easier way to generate the tokens is to use the Google OAuth Playground:

Once you have the OAuth2 credentials (JSON file) and the refresh_token, move to configuring the application on BlokSec Admin UI.

BlokSec Admin UI

Section titled “BlokSec Admin UI”

  1. Open the Google Workspace application

  2. Open the settings menu and click Edit Application

  3. Click on the Provisioning Tab

  4. Select the Enable Provisioning checkbox

  5. In the properties field, paste the contents of the OAuth2 credentials file that you downloaded earlier from Google. In this JSON add an additional key called refresh_token, and set the value as the refresh_token that was generated earlier. It should look something like this:

{
    "installed": {
        "client_id": "773006386462-mjn15pflv6uh7c14dkbcf8f9vv0h9.apps.googleusercontent.com",
        "project_id": "bloksecprovisioning",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_secret": "GOCSPX-zte0os99l3J8in_fzithqQNss",
        "redirect_uris": [
            "http://localhost:3000/oauth2callback"
        ],
        "refresh_token": "1//0g4VE9LxJ4ivsCgRAAGBASNwF-L9IrdPDPRD9Q2QT-0eVs79puXz9pim9I_IR919HXZpUrqLNWFyMzt4Unq8nbt4gYRMObY74"
    }
}
  1. Save the application.