Google Workspace

BlokSec can be configured to support passwordless login to your Google Workspace, and also supports provisioning.

Authentication Configuration

The BlokSec ↔️ Google Workspace authentication integration enables strong, passwordless authentication via the SAML protocol. Configuration involves a few simple steps on both the BlokSec admin UI and the Google Workspace admin console.

Create Application from Template

1. Sign into BlokSec admin UI as a user with admin privileges for your tenant

2. On the main dashboard, click the Add Application drop-down and select Create From Template, and select Google Workspace

3. Complete the application details as follows and submit:

   • Name: Google Workspace (or your desired application name – we will assume this is called ‘Google’ for the remainder of this article)

   • Entity ID: https://www.google.com/a/<your_domain>/acs

   • NameID Source: Account name

   • Assertion Consumer Service: https://www.google.com/a/<your_domain>/acs

   • Name ID Format: EmailAddress (keep default value of EmailAddress)

4. Click Submit to save the configuration

5. Click View Cert and then select Copy. Paste the certificate in a text editor of your choice and save the file as BlokSecGoogleCert.pem

6. Make note of the SSO Uri as it will be required when configuring Google Workspace

Google Workspace Admin Console

1. Sign into the Google Workspace admin console as a user with admin privileges for your tenant

2. Navigate to Security > Setup single sign-on (SSO) with a third party IdP

3. Complete the identity provider configuration with the following values (adjusting if required to meet your desired behaviour):

   • Sign-in page URL: Copy / enter the SSO Uri noted in step 6 above

   • Sign-out page URL: https://mail.google.com/a/<your_domain>

   • Verification certificate: Upload the certificate file saved in step 5 above

   • Click Save to apply the configuration changes

4. Send your users the following URL to login via passwordless https://mail.google.com/a/<your_domain> (for example, internally at BlokSec we use https://mail.google.com/a/bloksec.com)

Provisioning Configuration

When provisioning support is configured, you are able to create Google users in one step using the BlokSec admin console rather than having to create them in Google and then having to create a corresponding account in BlokSec.

Google Cloud Console

1. Log into the Google developer console at https://console.developers.google.com/start

2. Create a new project, and give it a name (I've used BlokSec API Access)

3. Then provide the project details:

4. Click on Credentials

5. Click on + CREATE CREDENTIALS and then select OAuth Client ID

6. If you have not aready done so, you will be prompted to create a consent screen

   1. Click the CREATE CONSENT SCREEN button

   2. Select Internal

   3. Provide an App name (we have used BlokSec Provisioning Integration in the example)

   4. Leave the scopes blank

   Click SAVE AND CONTINUE then BACK TO DASHBOARD.

   note

   You will have to return to the Credentials section and click on + CREATE CREDENTIALS to return to the OAuth Client ID creation screen

7. For Application type, select Web application

8. Provide a name (we have used BlokSec Provisioning Integration in the example) and provide the following values for authorized URIs:

   1. Authorized JavaScript origins: https://api.bloksec.io

   2. Authorized redirect URIs: https://api.bloksec.io/oauth2callback

   3. 

   4. Click CREATE to finish - you will be presented with a confirmating dialog; click DOWNLOAD JSON and save the file locally for use in the BlokSec Admin UI

   5. 

An easier way to generate the tokens is to use the Google OAuth Playground:

• https://developers.google.com/oauthplayground/

• Refer to this SailPoint document for instructions to use Google OAuth Playground. Refer section Generating OAuth 2.0 Authentication Credentials.

• We only need https://www.googleapis.com/auth/admin.directory.user as the scope for creating users.

Once you have the oath2 credentials (JSON file) and the refresh_token, move to configuring the application on Bloksec Admin UI.

BlokSec Admin UI

1. Open the Google Workspace application

2. Open the settings menu and click Edit Application

3. Click on the Provisioning Tab

• Select Enable Provisioning checkbox In the properties field, paste the contents on the oauth2 credentials file that you downloaded earlier from google. In this JSON add an additional key called refresh_token, and set the value as the refresh_token that was generated earlier. It should look something like this:

  {
    "installed": {
        "client\_id": "773006386462-mjn15pflv6uh7c14dkbcf8f9vv0h9.apps.googleusercontent.com",
        "project\_id": "bloksecprovisioning",
        "auth\_uri": "<https://accounts.google.com/o/oauth2/auth>",
        "token\_uri": "<https://oauth2.googleapis.com/token>",
        "auth\_provider\_x509\_cert\_url": "<https://www.googleapis.com/oauth2/v1/certs>",
        "client\_secret": "GOCSPX-zte0os99l3J8in\_fzithqQNss",
        "redirect\_uris": \[
            "<http://localhost:3000/oauth2callback>"
        ],
        "refresh\_token": "1//0g4VE9LxJ4ivsCgRAAGBASNwF-L9IrdPDPRD9Q2QT-0eVs79puXz9pim9I\_IR919HXZpUrqLNWFyMzt4Unq8nbt4gYRMObY74"
    }
  }

  Save the application.

  tip

  Now, every time an account is registered on BlokSec, a new user will be created on Google Workspace. All permissions/access will need to be granted on Google Workspace.