Org-wide Email / Calendar Integration
This guide explains how you, the admin, can connect email and calendars of all Users on Rox, the two supported architectures, and how Rox keeps data fresh.
Architecture
Rox supports two secure patterns. Choose one based on your governance needs.
Domain-Wide Delegation (DWD) to a Rox Service Principal
You grant DWD to a Rox-owned service account. Rox impersonates each onboarded user (via DWD) to read that user’s Calendar & Email.
Customer Workload Identity Federation + DWD
Step 1: Configure in Google Cloud (your project)
Create a Workload Identity Federation Pool & OIDC Provider (Google)
Issuer:
https://accounts.google.comAllowed Audience: your Rox Calendar App OAuth Client ID
(Recommended) Attribute mapping to include
emailfor tight allow-listing.
Restrict who can authenticate
Allow only your Rox admin’s Google account to the provider.
Create (or choose) a Service Account (customer-owned)
Grant your WIF Pool principal
roles/iam.workloadIdentityUseron this SA.
Step 2: Configure in Workspace (Domain-Wide Delegation)
Admin Console → Security → API Controls → Domain-wide delegation
Add the service account’s OAuth 2.0 Client ID.
Scopes: Calendar & Gmail (read-only).
Step 3: Connect in Rox
In Rox, choose Google Workspace (Customer WIF + DWD) and provide:
Google Project Number
WIF Pool ID
OIDC Provider ID
Service Account (to impersonate)
Connect Admin User via OAuth (must match your allow-listed account)
Rox validates the WIF → SA → DWD chain and completes the link.
How Rox Syncs
Rox fetches Calendar events (and Email, if enabled) every 15 minutes.
Credentials are refreshed automatically before expiry (WIF assertion or refresh token, depending on your architecture).
Syncs are incremental to minimize API usage and latency.
Security
Least-privilege by default (read-only scopes).
For Option B, Rox uses short-lived federated credentials; no long-lived keys are stored by Rox.
You can revoke access centrally (remove DWD, disable the WIF binding, or disconnect in Rox).
Last updated