Google Single Sign-On

Configure single sign-on with Google

Pritunl Zero supports single sign-on with Google G Suite. This allows users to use their Google employee account to authenticate with Pritunl Zero. Google sign-on can be enabled by adding a Google authentication provider in the Settings tab. Then enter the domain of the Google G Suite to match. Any users with a Google account on that domain will have access. Multiple domains can be added by adding multiple providers. The Google Admin Email and Google JSON Private Key can be left blank if G Suite group matching with Pritunl Zero roles is not needed.

Match Groups to Roles

From the Google Workspace Admin Console search for Google Cloud Platform and select Settings for Google Cloud Platform. Then enable the service.

Open the Google Cloud Console and create a project if one does not already exist.

Either open the Admin SDK API Settings or use the search from the cloud platform console to search for Admin SDK API. Then click Enable.

From the navigation menu select IAM & Admin then IAM. From the IAM page open Service Accounts.

Click Create Service Account and name the service account pritunl. Then click Create and Continue.

Click Add role and select Service Accounts then select Service Account User. Click Continue then click Done to create the service account.

Click the menu button for the user under Actions then click Manage keys.

Click Add Key and Create new key.

Set the Key type to JSON and click Create. The key will be downloaded in json format.

Either open the Details tab from the keys page or click Manage details from the user actions menu.

Click Show domain-wide delegation then select Enable Google Workspace Domain-wide Delegation. Set the Product name to Pritunl then click Save.

After the domain-wide delegation has been enabled copy the Client ID shown.

Go to the Google Workspace Admin Console and select Security then API controls from the menu. Then click Manage Domain Wide Delegation.

Click Add new then enter the Client ID from the previous steps. Set the OAuth scopes to https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly and click Authorize.

Open the JSON file downloaded earlier and copy the full contents to the Google JSON Private Key field in the Pritunl Zero authentication provider settings. Then set the Google Admin Email to the email address of user that has access to the Google G Suite admin console. This is required because the service account will use domain-wide delegation enabled above to delegate access to an administrator user in the Google G Suite domain. The Google Admin Email account must have the User Management Admin and Groups Reader roles. Once done users signing into Pritunl Zero will have roles matching the groups in Google G Suite.