From 70e4126765b236c1885db2bcea0db6be2115ff7d Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Tue, 29 Sep 2020 11:54:53 -0300 Subject: [PATCH 1/6] Update ssh-gsuite.md Update notes regarding google_admin_email --- docs/4.3/enterprise/sso/ssh-gsuite.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/4.3/enterprise/sso/ssh-gsuite.md b/docs/4.3/enterprise/sso/ssh-gsuite.md index dc572ccf60bc..4c962df87176 100644 --- a/docs/4.3/enterprise/sso/ssh-gsuite.md +++ b/docs/4.3/enterprise/sso/ssh-gsuite.md @@ -83,8 +83,11 @@ Within GSuite to access the Manage API client access go to Security -> Settings. !!! Warning - Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. A indicator of that is if you see `Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.` in your log. + Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The "client_id" field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. + +!!! Note + The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges. **Client Name:** For Client Name: Use the Unique ID for the service account. [See Video for instructions](https://youtu.be/DG97l8WJ6oU?t=281). From 41bd5caa549b875b4d17506e97d77f987b78ddba Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Tue, 29 Sep 2020 11:56:36 -0300 Subject: [PATCH 2/6] Update ssh-gsuite.md Update notes regarding google_admin_email --- docs/4.2/enterprise/sso/ssh-gsuite.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/4.2/enterprise/sso/ssh-gsuite.md b/docs/4.2/enterprise/sso/ssh-gsuite.md index aa2b94f13a60..eb78688af7d6 100644 --- a/docs/4.2/enterprise/sso/ssh-gsuite.md +++ b/docs/4.2/enterprise/sso/ssh-gsuite.md @@ -68,13 +68,19 @@ the OIDC Connector, under `google_service_account_uri`. Teleport requires the service account JSON to be uploaded to all Teleport authentication servers when setting up in a HA config. + +!!! Warning + + Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The "client_id" field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. + +!!! Note + + The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges. ## API Scopes: Before setting the Manage API client access capture the client ID of the service account. Within GSuite to access the Manage API client access go to Security -> Settings. Navigate to Advanced Settings and open Manage API client access. Put the client ID in the Client Name field and the below permissions in the API scopes as a single comma separated line. Press Authorize. -!!! note: Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. A indicator of that is if you see `Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.` in your log. - `https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly` ![Manage API Client Access](../../img/gsuite/gsuite-6-manage-api-access.png) From e767b121f3490311b26056f5716ed3332dff7c9b Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Tue, 29 Sep 2020 11:57:56 -0300 Subject: [PATCH 3/6] Update ssh-gsuite.md --- docs/4.3/enterprise/sso/ssh-gsuite.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/4.3/enterprise/sso/ssh-gsuite.md b/docs/4.3/enterprise/sso/ssh-gsuite.md index 4c962df87176..06461e3ffd41 100644 --- a/docs/4.3/enterprise/sso/ssh-gsuite.md +++ b/docs/4.3/enterprise/sso/ssh-gsuite.md @@ -83,7 +83,7 @@ Within GSuite to access the Manage API client access go to Security -> Settings. !!! Warning - Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The "client_id" field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. + Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The `client_id` field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. !!! Note From 63b11507d3b8017ac535be454227becb7a316687 Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Tue, 29 Sep 2020 11:58:18 -0300 Subject: [PATCH 4/6] Update ssh-gsuite.md --- docs/4.2/enterprise/sso/ssh-gsuite.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/4.2/enterprise/sso/ssh-gsuite.md b/docs/4.2/enterprise/sso/ssh-gsuite.md index eb78688af7d6..a3325ab9f877 100644 --- a/docs/4.2/enterprise/sso/ssh-gsuite.md +++ b/docs/4.2/enterprise/sso/ssh-gsuite.md @@ -71,7 +71,7 @@ the OIDC Connector, under `google_service_account_uri`. !!! Warning - Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The "client_id" field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. + Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The `client_id` field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. !!! Note From e4a34b7cf9201701049768009d0b9e18bbb6a3fe Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Tue, 29 Sep 2020 15:42:00 -0300 Subject: [PATCH 5/6] Removing trailing whitespace from 4.2 guide --- docs/4.2/enterprise/sso/ssh-gsuite.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/4.2/enterprise/sso/ssh-gsuite.md b/docs/4.2/enterprise/sso/ssh-gsuite.md index a3325ab9f877..abd488dc42f0 100644 --- a/docs/4.2/enterprise/sso/ssh-gsuite.md +++ b/docs/4.2/enterprise/sso/ssh-gsuite.md @@ -75,7 +75,7 @@ the OIDC Connector, under `google_service_account_uri`. !!! Note - The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges. + The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges. ## API Scopes: Before setting the Manage API client access capture the client ID of the service account. From 8533f634b3a94a7a51c05e92afbf6b1f0c2b8161 Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Wed, 30 Sep 2020 10:17:42 -0300 Subject: [PATCH 6/6] Fix whitespace --- docs/4.2/enterprise/sso/ssh-gsuite.md | 4 ++-- docs/4.3/enterprise/sso/ssh-gsuite.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/4.2/enterprise/sso/ssh-gsuite.md b/docs/4.2/enterprise/sso/ssh-gsuite.md index abd488dc42f0..a94b503c4f6e 100644 --- a/docs/4.2/enterprise/sso/ssh-gsuite.md +++ b/docs/4.2/enterprise/sso/ssh-gsuite.md @@ -68,11 +68,11 @@ the OIDC Connector, under `google_service_account_uri`. Teleport requires the service account JSON to be uploaded to all Teleport authentication servers when setting up in a HA config. - + !!! Warning Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The `client_id` field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. - + !!! Note The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges. diff --git a/docs/4.3/enterprise/sso/ssh-gsuite.md b/docs/4.3/enterprise/sso/ssh-gsuite.md index 06461e3ffd41..8773ac20b36d 100644 --- a/docs/4.3/enterprise/sso/ssh-gsuite.md +++ b/docs/4.3/enterprise/sso/ssh-gsuite.md @@ -84,7 +84,7 @@ Within GSuite to access the Manage API client access go to Security -> Settings. !!! Warning Do not use the email of the service account. The configuration display will look the same but the service account will not have the domain-wide delegation required. The `client_id` field must be the unique ID number captured from the admin UI. An indicator that this is misconfigured is if you see "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." in your log. - + !!! Note The email that you set for `google_admin_email` **must** be the email address of a user that has permission to list all groups, users, and group membership in your G Suite account. This user will generally need super admin privileges.