Configure Google OAuth for workforce or customer authentication.
Step 1: Install the package
dotnet add package PrimusSaaS.Identity.Broker
Step 2: Configure Program.cs and middleware
using PrimusSaaS.Identity.Broker;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddPrimusAuthBroker(builder.Configuration, builder.Environment.IsDevelopment());
builder.Services.AddControllers();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.UsePrimusCsrfProtection();
app.MapControllers();
app.MapPrimusAuthBroker();
app.Run();
Step 3: Configure appsettings.json
{
"Google": {
"ClientId": "YOUR_CLIENT_ID",
"ClientSecret": "YOUR_CLIENT_SECRET"
}
}
How to get configuration values
- Go to Google Cloud Console > APIs & Services > Credentials.
- Create OAuth 2.0 Client ID (Web application).
- Authorized redirect URI:
https://your-api.com/api/auth/google/callback - Copy Client ID and Client Secret.
Step 4: Configure endpoint
Broker endpoints are mapped by app.MapPrimusAuthBroker().
GET /api/auth/providersGET /api/auth/googleGET /api/auth/me
Step 5: Test the endpoint
- Call
GET /api/auth/providersonce on app startup to seed the CSRF cookie. - Navigate to
GET /api/auth/googleand sign in. - Call
GET /api/auth/meto confirm the session.
SAML 2.0 SSO
Google Workspace supports both OIDC and SAML 2.0. SAML is common for organizational Google Workspace deployments.
Create a custom SAML app in Google Workspace
- In the Google Admin console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.
- Set ACS URL to:
https://app.example.com/api/auth/saml/google-saml/Acs - Set Entity ID to
https://app.example.com. - Copy the IdP metadata URL shown on the IdP details page.
Configure appsettings.json
{
"PrimusAuth": {
"Saml": {
"EntityId": "https://app.example.com",
"IdentityProviders": [
{
"Scheme": "google-saml",
"DisplayName": "Google Workspace",
"IdpType": "GoogleWorkspace",
"MetadataUrl": "https://accounts.google.com/o/saml2?idpid=YOUR_IDP_ID"
}
]
}
}
}
SAML endpoints
| Endpoint | Description |
|---|---|
GET /api/auth/saml/google-saml | Returns SP metadata XML — configure as the SP Entity ID in Google Admin |
GET /api/auth/saml/google-saml/SignIn | Initiates SP-initiated SSO — redirects the browser to Google |
POST /api/auth/saml/google-saml/Acs | Assertion Consumer Service — handled automatically |
Advanced features
The following features work with Google exactly the same way as any other provider:
- Multi-Factor Authentication — TOTP, SMS, and email OTP
- Domain Allowlist — restrict logins to specific email domains
- Bot Protection & Rate Limiting — IP-based rate limiting, CAPTCHA hooks
- Webhooks — receive events on login, logout, and provisioning
Next Steps
- Integration Guide — complete setup walkthrough including frontend integration
- MFA Deep Dive — TOTP enrollment UX, SMS codes, and recovery
- Advanced Configuration — custom stores, HA clustering, and data protection
- Database Setup — persist provisioned users with EF Core