Skip to content

User Authentication with Google

Our Google authentication authority lets you log users in on their devices against your Google Workspace domain. This lets you:

  • Require 2-Step Verification through Google for all users.
  • Use any MFA mechanism supported by Google for authentication.
  • Audit user login events through Google's tooling.

Domain ID

When defining your Trust Requirement, you should provide the Google Workspace Domain, which indicates which Google Workspace the user should exist in.

Your domain can be found on the Google Admin Console (, on the dashboard.

Google Workspace Domain

Token Refresh

Google issues authentication tokens that are valid for 1 hour (see the Google token documentation). Enclave will automatically refresh these tokens when they expire, so the user will not need to log in again.

If the user removes the Enclave app from their account, or the Workspace admin removes the app for them, Enclave will fail to retrieve a fresh token and will log the user out, but this could take up to 1 hour, until the authentication token expires.

You can revoke existing Enclave authentication for a user from the Google Workspace administration tools:

Google Workspace Admin Revoke

If a user doesn't use Enclave for 60 days on a given device, the user will be logged out on that device and will need to log in again.