Pritunl supports single sign-on with Google business apps. This allows users to use their Google employee account to authenticate with Pritunl. Oauth is used to authenticate users, re-authentication is also done on each connection. When a Google user is removed or disabled they will no longer be able to connect to a Pritunl server. To start set the Single Sign-On to Google and set the Google Apps Domain. The domain should be the domain used for the business Gmail such as
pritunl.com. Multiple domains can be separated by a comma. The single sign-on organization will control which organization Google users are added to.
Once configured a Sign in with Google button will appear on the login page.
After a user clicks Sign in with Google they will be prompted to approve the Oauth login. Then they will be directed to their VPN profiles.
Google user groups can be matched to organizations using the Google Admin API. First the API access must be enabled in the G Suite admin console. The API access option can be found in the Security section under API reference the Enable API access option must be checked.
Go to the Admin SDK options in the Google Developers console under the Library tab of the APIs & services section. Ensure that the Admin SDK is enabled. You may need to first create a project which can be done with the setup tool.
Next go to the Service Accounts section in the Google Developers console under IAM & admin. Click Create Service Account then set the Service account name to
pritunl. Set the Role to Service Account Actor in the Project category. Then select Furnish a new private key, JSON and Enable G Suite Domain-wide Delegation. Once done click Create and save the downloaded JSON key.
After the service account has been created click View Client ID on the right side of the new service account. Copy the Client ID which will be used next.
In the Google G Suite admin console open the Manage API click access by going to the Advanced settings in the Security section and clicking Manage API client access. Set the Client Name to the Client ID from above. Then set One or More API Scopes to
https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly. Then click Authorize and the client should show both API scopes as shown below.
Open the JSON file downloaded earlier and copy the full contents to the Google JSON Private Key field in the Pritunl settings. Then set the Google Admin Email to the email address of user that has access to the Google G Suite admin console. This is required because the service account will use domain-wide delegation enabled above to delegate access to an administrator user in the Google G Suite domain.
Next open the [Groups] section in the Google G Suite admin console and copy the name of the groups that will be used and create organizations with the same name. In this example the developers group in Google will have a matching developers organization in Pritunl. The matching is case sensitive and will match to the first matching group in alphabetical order. If no matching organization is found the Default Organization in the Pritunl settings will be used. Once a user has been created in Pritunl the organization wont change. If a users group is changed the user must be deleted in Pritunl and the user must login again to get new keys in the new organization.
Once done the Pritunl user will be created in the matching organization when authenticating with Google.