With Google SSO, we are struggling to integrate Pritunl with Google Groups

Can you please help or share some articles which would help?
Please note that we referred to Google while setting up the same. However, it was not helpful to set it up with Google groups.

Use case: Enable Pritunl SSO only to a specific group of people (configured in google groups)

Google Workspace doesn’t have the same level of user access controls that traditional single sign-on platforms have. The best option for Google is to create an organization in Pritunl and configure it as the default single sign-on organization. Then leave this organization unattached to any servers. Organizations matching the names of Google groups can then be created and those can be attached to servers. Users not in the groups will not be able to connect to a VPN server.

Hi Zach,

I think I followed as you suggested but getting “No server profiles are available on this account” error. I will describe steps I did.

  1. Created a Google group with name Tech at https://groups.google.com/my-groups
  2. Create New Org with name Tech in Pritunl.
  3. Created one more org NonTech in Pritunl.
  4. Changed default SSO org to NonTech and NonTech is not attached to any servers.
  5. Attached Tech Org to Server.
  6. Tried to authenticate with my Google email and getting error “No server profiles are available on this account”
  7. I have made sure my user part of Tech group in Google Groups.
  8. after authentication my user list under NonTech org.

Can you help me understand what I’m missing?

Verify that the Groups option in the server settings is not set. This is a separate groups mode that requires also configuring user groups to match. This mode should only be used when required and can be enabled by running sudo pritunl set app.sso_google_mode '"groups"'.

Hi Zach,

This doesn’t not help in fixing issue. Attaching you screenshots.

Enabled groups option using priutnl command you mentioned and no groups is specified in server setting, still getting same error message.

That command shouldn’t be used to fix the issue, only to switch to the groups mode. If you are not intending on using the groups mode run sudo pritunl unset app.sso_google_mode. First verify the user is in the correct organization and check the title at the top of the profile page after authenticating which will show the organization name. Then verify this organization is attached to a server. Do not attempt to create the single sign-on user manually, this will create a local type user. The user should be created by the Pritunl server during the single sign-on authentication.

Hi Zach,

I have reverted group changes using unset option still same issue. I have tried to do auth again but same issue. I have not created user manually.

I’m attaching pdf with all screenshots can you help me understand how to fix this.


Check the logs in the top right, this will show a message reporting what group names were provided by the single sign-on provider.

Hi Zach,

I can only see this message in logs. nothing more.

[tunnel-a][2023-03-14 09:26:23,223][INFO] User organization changed, moving user
user_name = “arun.singh@kissht.com
user_email = “arun.singh@kissht.com
remote_ip = “”
cur_org_id = “63f3618a38ce”
new_org_id = “640f4252aa5915d”

and server start and stop logs. I have turned on Debug log but still this much log I’m getting.

Hi Zach,

i’m not sure if i’m doing something wrong at Google Apps end or Pritunl but single sign on not working for selected group.Can you help things I need to check at google end also?

You may be missing one of the required values in the top right settings. Matching groups requires the Google Admin Email and Google JSON Private Key.

Hi Zach,

I have Google Json private key and email id. Things works fine without group option. But we want to restrict vpn for selected group that we are unable to do.

Run sudo pritunl get app.sso_google_mode and verify it is set to org.

Hi Zach,

Thank you very much this fixed issue. We are now able to control which group have access to VPN Server. Thanks for patience and continue replies.