Google

Single sign-on with Google

Pritunl supports single sign-on with Google G Suite. This allows users to use their Google employee account to authenticate with Pritunl. Oauth is used to authenticate users, re-authentication is also done on each connection. When a Google user is removed or disabled they will no longer be able to connect to a Pritunl server. To start set the Single Sign-On to Google and set the Google Apps Domain. The domain should be the domain used for the business Gmail such as pritunl.com. Multiple domains can be separated by a comma. The single sign-on organization will control which organization Google users are added to.

1628

Once configured a Sign in with Google button will appear on the login page.

372

After a user clicks Sign in with Google they will be prompted to approve the Oauth login. Then they will be directed to their VPN profiles.

689

Match Groups to Organizations

From the Google Workspace Admin Console search for Google Cloud Platform and select Settings for Google Cloud Platform. Then enable the service.

1489

Open the Google Cloud Console and create a project if one does not already exist.

849

Either open the Admin SDK API Settings or use the search from the cloud platform console to search for Admin SDK API. Then click Enable.

1070

From the navigation menu select IAM & Admin then IAM. From the IAM page open Service Accounts.

1524

Click Create Service Account and name the service account pritunl. Then click Create and Continue.

863

Click Add role and select Service Accounts then select Service Account User. Click Continue then click Done to create the service account.

1107

Click the menu button for the user under Actions then click Manage keys.

1505

Click Add Key and Create new key.

1520

Set the Key type to JSON and click Create. The key will be downloaded in json format.

799

Either open the Details tab from the keys page or click Manage details from the user actions menu.

1516

Copy the Unique ID shown for the next steps.

829

Go to the Google Workspace Admin Console and select Security then Access and data control then API controls from the menu. Enable Trust internal, domain-owned apps.

1769

Once done click Manage Domain Wide Delegation. Then click Add new then enter the Client ID from the previous steps. Set the OAuth scopes to https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly and click Authorize.

705

Open the settings from the Pritunl web console and verify the Google Apps Domain is set to the correct company domain. Then set the Google Admin Email to any Google Workspace administrators email, this is used by the Google Cloud API to discover the Google Workspace Domain. Open the json file that was downloaded from the previous steps and copy the key to Google JSON Private Key. Then click Save.

872

Once done the Pritunl user will be created in the matching organization when authenticating with Google. The logs will display what names are discovered when a user authenticates.