From bf7f9a6e873fd5accbee3ebe4bac981d873e3bc2 Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Wed, 30 Sep 2020 10:36:29 -0300 Subject: [PATCH] Update G Suite docs to add clarification (#4394) --- docs/4.2/enterprise/sso/ssh-gsuite.md | 10 ++++++++-- docs/4.3/enterprise/sso/ssh-gsuite.md | 5 ++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/4.2/enterprise/sso/ssh-gsuite.md b/docs/4.2/enterprise/sso/ssh-gsuite.md index aa2b94f13a60b..a94b503c4f6ec 100644 --- a/docs/4.2/enterprise/sso/ssh-gsuite.md +++ b/docs/4.2/enterprise/sso/ssh-gsuite.md @@ -69,12 +69,18 @@ the OIDC Connector, under `google_service_account_uri`. Teleport requires the service account JSON to be uploaded to all Teleport authentication servers when setting up in a HA config. +!!! Warning + + Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The `client_id` field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. + +!!! Note + + The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges. + ## API Scopes: Before setting the Manage API client access capture the client ID of the service account. Within GSuite to access the Manage API client access go to Security -> Settings. Navigate to Advanced Settings and open Manage API client access. Put the client ID in the Client Name field and the below permissions in the API scopes as a single comma separated line. Press Authorize. -!!! note: Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. A indicator of that is if you see `Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.` in your log. - `https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly` ![Manage API Client Access](../../img/gsuite/gsuite-6-manage-api-access.png) diff --git a/docs/4.3/enterprise/sso/ssh-gsuite.md b/docs/4.3/enterprise/sso/ssh-gsuite.md index dc572ccf60bc6..8773ac20b36df 100644 --- a/docs/4.3/enterprise/sso/ssh-gsuite.md +++ b/docs/4.3/enterprise/sso/ssh-gsuite.md @@ -83,8 +83,11 @@ Within GSuite to access the Manage API client access go to Security -> Settings. !!! Warning - Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. A indicator of that is if you see `Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.` in your log. + Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The `client_id` field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. +!!! Note + + The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges. **Client Name:** For Client Name: Use the Unique ID for the service account. [See Video for instructions](https://youtu.be/DG97l8WJ6oU?t=281).