Google Workspace doesn’t have the same level of user access controls that traditional single sign-on platforms have. The best option for Google is to create an organization in Pritunl and configure it as the default single sign-on organization. Then leave this organization unattached to any servers. Organizations matching the names of Google groups can then be created and those can be attached to servers. Users not in the groups will not be able to connect to a VPN server.
Verify that the Groups option in the server settings is not set. This is a separate groups mode that requires also configuring user groups to match. This mode should only be used when required and can be enabled by running sudo pritunl set app.sso_google_mode '"groups"'.
That command shouldn’t be used to fix the issue, only to switch to the groups mode. If you are not intending on using the groups mode run sudo pritunl unset app.sso_google_mode. First verify the user is in the correct organization and check the title at the top of the profile page after authenticating which will show the organization name. Then verify this organization is attached to a server. Do not attempt to create the single sign-on user manually, this will create a local type user. The user should be created by the Pritunl server during the single sign-on authentication.