Google Workspace

BlokSec enables passwordless login to Google Workspace and also supports automatic user provisioning via the Google Directory API. This guide covers both the authentication setup (SAML) and optional provisioning configuration.

Prerequisites

A BlokSec admin account with permission to create applications
A Google Workspace account with Super Administrator access
A Google Cloud project (required for provisioning only)

Part 1 — Authentication

1. Create the Google Workspace application in BlokSec

Sign in to the BlokSec admin console as a user with admin privileges
From the dashboard, click + Add Application and select Create From Template
Select the Google Workspace template
Complete the application details with the following values, replacing <your_domain> with your Google Workspace domain (for example, acme.com):

Field	Value
Name	`Google Workspace` (or your preferred name)
Entity ID	`https://www.google.com/a/<your_domain>/acs`
NameID Source	`Account name`
Assertion Consumer Service	`https://www.google.com/a/<your_domain>/acs`
Name ID Format	`EmailAddress`

Click Submit to save the configuration
Click View Cert and copy the certificate — save it to a file (for example, BlokSecGoogleCert.pem)
Note the SSO URI — you will need it in the next step

2. Configure SSO in the Google Workspace admin console

Sign in to the Google Workspace admin console as a Super Administrator
Navigate to Security → Authentication → SSO with third-party IdP
Click Add SSO profile and enter the following values:

Field	Value
Sign-in page URL	SSO URI from BlokSec (noted in step 7 above)
Sign-out page URL	`https://mail.google.com/a/<your_domain>`
Verification certificate	Upload `BlokSecGoogleCert.pem` from step 6 above

Click Save

Verify the authentication integration

Open a private/incognito browser window
Navigate to https://mail.google.com/a/<your_domain>
Approve the sign-in on the BlokSec mobile app
Confirm you are successfully signed in to Google Workspace

Part 2 — Provisioning (optional)

Provisioning allows BlokSec to automatically create Google Workspace user accounts when a new user is registered in BlokSec, eliminating the need to create accounts in both systems separately.

1. Create OAuth 2.0 credentials in Google Cloud

Sign in to the Google Cloud Console and open your project
Navigate to APIs & Services → Credentials
Click Create Credentials and select OAuth 2.0 Client ID
Choose Web application as the application type
Under Authorized JavaScript origins, add: https://api.bloksec.io
Under Authorized redirect URIs, add: https://api.bloksec.io/oauth2callback
Click Create, then download the generated JSON credentials file

2. Generate a refresh token

BlokSec requires a long-lived refresh token to make authenticated calls to the Google Directory API on behalf of your domain.

Go to Google OAuth 2.0 Playground
Click the gear icon (Settings) and check Use your own OAuth credentials
Enter the Client ID and Client Secret from the JSON file downloaded above
In the scope list, authorize: https://www.googleapis.com/auth/admin.directory.user
Click Authorize APIs and complete the sign-in with your Super Administrator account
Click Exchange authorization code for tokens
Copy the Refresh token from the response

3. Enable provisioning in BlokSec

In the BlokSec admin console, open the Google Workspace application and click the gear icon → Edit Application
Navigate to the Provisioning tab
Enable provisioning and set the integration type to Google Directory API
Open the JSON credentials file downloaded from Google Cloud and add the refresh token as a new field:

{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "refresh_token": "PASTE_REFRESH_TOKEN_HERE",
  ...
}

Paste the complete JSON (with the refresh_token field added) into the provisioning credentials field
Click Submit to save