Google Single Sign-On

Configure single sign-on with Google

Pritunl Zero supports single sign-on with Google G Suite. This allows users to use their Google employee account to authenticate with Pritunl Zero. Google sign-on can be enabled by adding a Google authentication provider in the Settings tab. Then enter the domain of the Google G Suite to match. Any users with a Google account on that domain will have access. Multiple domains can be added by adding multiple providers. The Google Admin Email and Google JSON Private Key can be left blank if G Suite group matching with Pritunl Zero roles is not needed.

Match Groups to Roles

From the Google Workspace Admin Console search for Google Cloud Platform and select Settings for Google Cloud Platform. Then enable the service.

1489

Open the Google Cloud Console and create a project if one does not already exist.

849

Either open the Admin SDK API Settings or use the search from the cloud platform console to search for Admin SDK API. Then click Enable.

1070

From the navigation menu select IAM & Admin then IAM. From the IAM page open Service Accounts.

1524

Click Create Service Account and name the service account pritunl. Then click Create and Continue.

863

Click Add role and select Service Accounts then select Service Account User. Click Continue then click Done to create the service account.

1107

Click the menu button for the user under Actions then click Manage keys.

1505

Click Add Key and Create new key.

1520

Set the Key type to JSON and click Create. The key will be downloaded in json format.

799

Either open the Details tab from the keys page or click Manage details from the user actions menu.

1516

Click Show domain-wide delegation then select Enable Google Workspace Domain-wide Delegation. Set the Product name to Pritunl then click Save.

828

After the domain-wide delegation has been enabled copy the Client ID shown.

826

Go to the Google Workspace Admin Console and select Security then API controls from the menu. Then click Manage Domain Wide Delegation.

1901

Click Add new then enter the Client ID from the previous steps. Set the OAuth scopes to https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly and click Authorize.

705

Open the JSON file downloaded earlier and copy the full contents to the Google JSON Private Key field in the Pritunl Zero authentication provider settings. Then set the Google Admin Email to the email address of user that has access to the Google G Suite admin console. This is required because the service account will use domain-wide delegation enabled above to delegate access to an administrator user in the Google G Suite domain. Once done users signing into Pritunl Zero will have roles matching the groups in Google G Suite.