Skip to main content

Google Workspace (formerly known as G Suite)

This guide covers the basics of setting up Pomerium to use GCP and Google Workspace / G Suite as your identity provider.

caution

Google changes their configuration screens frequently. Please refer to Google's documentation for authoritative instructions.

Setting up OAuth 2.0

You need OAuth 2.0 credentials, including a client ID and client secret, to authenticate users.

Create OAuth 2.0

Log in to your Google account and go to the APIs & services.

  1. Navigate to Credentials using the left-hand menu. If you're not already in a project, you can select one here.

  2. On the Credentials page, click Create credentials and choose OAuth Client ID.

Create New Credentials

caution

If you don't currently have an OAuth consent page configured, Google will not allow you to create credentials until this is completed. Please follow Google's instructions for doing so.

  1. For the Application type choose Web application.

  2. Give the client ID a Name, and add an Authorized redirect URI. The redirect URI format is https://${authenticate_service_url}/oauth2/callback (e.g.https://authenticate.localhost.pomerium.io/oauth2/callback).

Web App Credentials Configuration

Click Create once complete.

  1. The Google Cloud Console will display your Client ID and Client Secret. Temporarily save these values to import into Pomerium later.

Google's OAuth client ID and Secret displayed

Configure Pomerium

Edit config.yaml or set your environment variables to connect Pomerium to Google:

/etc/pomerium/config.yaml
idp_provider: 'google'
idp_client_id: 'yyyy.apps.googleusercontent.com'
idp_client_secret: 'xxxxxx'

Getting Groups

Unfortunately, Google does not yet support getting groups data using a custom claim. Groups must be loaded by using a plugin to fetch directory information (see Enterprise's Directory Sync).