# Google

Pritunl supports single sign-on with Google Workspace. This allows users to use their Google employee account to authenticate with Pritunl. Oauth is used to authenticate users, re-authentication is also done on each connection. When a Google user is removed or disabled they will no longer be able to connect to a Pritunl server. To start set the *Single Sign-On* to *Google* and set the *Google Apps Domain*. The domain should be the domain used for the business Gmail such as `pritunl.com`. Multiple domains can be separated by a comma. The single sign-on organization will control which organization Google users are added to.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FvfLoVZQ59Az0JqcTcTuG%2Fgoogle_org6.png?alt=media\&token=74506c28-de7e-45a1-99cf-dd5409c378c3)

Once configured a *Sign in with Google* button will appear on the login page.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FeBcfXEzUs6EVfZUOpEaS%2Fgoogle1.png?alt=media\&token=18e19a43-2226-48ae-8e30-cbed9f52fe69)

After a user clicks *Sign in with Google* they will be prompted to approve the Oauth login. Then they will be directed to their VPN profiles.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FaaMtt30Iq9RWsFqiRREM%2Fgoogle2.png?alt=media\&token=4557569a-fd9e-4c7b-8b81-7acd97ce08d1)

### Match Groups to Organizations

From the [**Google Workspace Admin Console**](https://admin.google.com/) search for `Google Cloud Platform` and select *Settings for Google Cloud Platform*. Then enable the service.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FaV7Fg9bbi9HCe3YTLcHE%2Fsso_google0.png?alt=media\&token=78f03faf-1532-4d9f-9f9f-feceab5dcd1b)

Open the [**Google Cloud Console**](https://console.cloud.google.com/) and create a project if one does not already exist.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fc9KENHQAA0kBqagzayqo%2Fsso_google1.png?alt=media\&token=731a37dc-6333-45e2-9a27-4a17abf1ced6)

Either open the [**Admin SDK API Settings**](https://console.cloud.google.com/apis/library/admin.googleapis.com) or use the search from the cloud platform console to search for `Admin SDK API`. Then click *Enable*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FrxTb7Iy3uMRbHDZmag0N%2Fsso_google11.png?alt=media\&token=a950fee1-6f77-4a0e-9c33-1f1c54c52f55)

From the navigation menu select *IAM & Admin* then *IAM*. From the *IAM* page open *Service Accounts*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fe1qZBCH28aCP0NYobeSn%2Fsso_google2.png?alt=media\&token=0670748f-ed63-430e-af5c-791aa78ca57f)

Click *Create Service Account* and name the service account `pritunl`. Then click *Create and Continue*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FGE0y8qSZC97fDR7wHWD9%2Fsso_google3.png?alt=media\&token=3047b0bc-08fc-4aaf-a4e9-94a4713f7be9)

Click *Add role* and select *Service Accounts* then select *Service Account User*. Click *Continue* then click *Done* to create the service account.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F0qzKOydqrbc8NemazJcx%2Fsso_google4.png?alt=media\&token=70d0d629-e3c2-420b-aeb5-0ad27f227276)

Click the menu button for the user under *Actions* then click *Manage keys*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FH2Fa8tFedzXRv4rYOuZr%2Fsso_google7.png?alt=media\&token=53dc4551-9456-47c9-8af2-2fefb3292ec7)

Click *Add Key* and *Create new key*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FAkR7r0FNqlK01ykU82yp%2Fsso_google5.png?alt=media\&token=d09f1d7b-975e-40c3-a5bb-4403d7559723)

Set the *Key type* to *JSON* and click *Create*. The key will be downloaded in json format.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fv2swPcT2Yw9sLrY0HnNZ%2Fsso_google6.png?alt=media\&token=0ade4169-4807-4165-bd90-55f6ba0c18f2)

Either open the *Details* tab from the keys page or click *Manage details* from the user actions menu.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FT9twnyN4ZkhCabJ8aqud%2Fsso_google8.png?alt=media\&token=4bc986bc-84c1-4012-9235-fbd478b49d42)

Copy the *Unique ID* shown for the next steps.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fc3spMUJoa9eVIGZ8aFpj%2Fsso_google12.png?alt=media\&token=67ec0d80-0ff9-4b03-983c-dc1a59670370)

Go to the [**Google Workspace Admin Console**](https://admin.google.com/) and select *Security* then *Access and data control* then *API controls* from the menu. Enable *Trust internal, domain-owned apps*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FLHkSYJqxiKAEqGXhOQSw%2Fsso_google15.png?alt=media\&token=59ea82e8-eae7-4f34-87e1-5117f95a4fa1)

Once done click *Manage Domain Wide Delegation*. Then click *Add new* then enter the *Client ID* from the previous steps. Set the *OAuth scopes* to `https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly` and click *Authorize*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FC4WrUUPreJtXmlexYvx9%2Fsso_google14.png?alt=media\&token=e0ba8b33-0dc4-4a6d-98e3-30a9d2c9d545)

Open the settings from the Pritunl web console and verify the *Google Apps Domain* is set to the correct company domain. Then set the *Google Admin Email* to any Google Workspace administrators email, this is used by the Google Cloud API to discover the Google Workspace Domain. Open the json file that was downloaded from the previous steps and copy the key to *Google JSON Private Key*. Then click *Save*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2F09aB4YwuxoesWQf5zE1j%2Fsso_google10.png?alt=media\&token=71250fbc-246f-42c3-a8a2-e220c76e9ba2)

Once done the Pritunl user will be created in the matching organization when authenticating with Google. The logs will display what names are discovered when a user authenticates.

### Configure Pritunl Zero

For Pritunl Zero these same options can be found in the *Settings* tab.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FAtBUbVSCwCOrlbZVQQjv%2Fgoogle_sso_zero.png?alt=media\&token=f9aa5a09-001b-4f20-9e56-523cf3642bf0)