Update G Suite docs to add clarification (#4394)

gravitational · Sep 30, 2020 · bf7f9a6 · bf7f9a6
1 parent aaac7ae
commit bf7f9a6
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/docs/4.2/enterprise/sso/ssh-gsuite.md b/docs/4.2/enterprise/sso/ssh-gsuite.md
@@ -69,12 +69,18 @@ the OIDC Connector, under `google_service_account_uri`.
     Teleport requires the service account JSON to be uploaded to all Teleport authentication servers when setting
     up in a HA config.
 
+!!! Warning
+
+    Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The `client_id` field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log.
+
+!!! Note
+
+   The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges.
+
 ## API Scopes:
 Before setting the Manage API client access capture the client ID of the service account.
 Within GSuite to access the Manage API client access go to Security -> Settings.  Navigate to Advanced Settings and open Manage API client access.  Put the client ID in the Client Name field and the below permissions in the API scopes as a single comma separated line.  Press Authorize.
 
-!!! note:  Do not use the email of the service account.  The configuration display will look the same but the service account will not have the domain-wide delegation required.  A indicator of that is if you see `Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.` in your log.
-
 `https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly`
 
 ![Manage API Client Access](../../img/gsuite/gsuite-6-manage-api-access.png)

diff --git a/docs/4.3/enterprise/sso/ssh-gsuite.md b/docs/4.3/enterprise/sso/ssh-gsuite.md
@@ -83,8 +83,11 @@ Within GSuite to access the Manage API client access go to Security -> Settings.
 
 !!! Warning
 
-    Do not use the email of the service account.  The configuration display will look the same but the service account will not have the domain-wide delegation required.  A indicator of that is if you see `Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.` in your log.
+    Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The `client_id` field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log.
 
+!!! Note
+
+   The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges.
 
 **Client Name:** For Client Name: Use the Unique ID for the service account.  [See Video for instructions](https://youtu.be/DG97l8WJ6oU?t=281).