Multi-organization multi-server set up with different routes in each server

Hey guys

I’m not able to find a similar issue so writing this post.

I’m setting up the VPN for my company and I have an Enterprise plan. We have a use case in which we may have to give VPN access to multiple stakeholders. Additionally, within the company, we have multiple groups of people for which we want to give different levels of access. For eg.: Infra engineers should have access to almost all the internal routes, backend engineers should have access to DBs, whereas, the Growth team should have access to only analytics tools.

I created multiple organizations. The first issue is I cannot use a single Google SSO with multiple organizations. When I try to do so, I get the following error:

Additionally, I want different routes for different teams within the same organization. I do not want the Growth team to access the DBs for example. I see that when anyone logs in via Google SSO and imports the profile, they are able to connect to all the Servers.

I’m getting a little lost here. Any help getting me back on track would be appreciated.

The groups mode can be used for more complex cases where multiple groups are needed. To do this delete all the organizations and create one organization. Set this organization as the default single sign-on organization in the top right settings then attach the organization to all servers. Then run the commands below. In each of the server settings add the groups that will be able to access that server. This can result in larger usage of IP address pools. Every user that is attached to a server will have a static IP assigned even if a group is not matched. The server virtual network subnet size should allow for this. For SAML the attribute groups is used to set a comma separated list of groups.

sudo pritunl set app.sso_azure_mode '"groups"'
sudo pritunl set app.sso_authzero_mode '"groups"'
sudo pritunl set app.sso_google_mode '"groups"'