Google (OIDC) - Web Console

This guide provides configuration instructions for integrating Genian ZTNA, a network access control system, with Google's authentication functionality.

For administrator authentication, the Genian ZTNA Web Console page calls Google authentication using the OIDC (OpenID Connect) protocol, Google verifies user authentication status, and proper SSO is achieved.

Recommended Versions

Product Name (Component)	Version	Notes
Genian ZTNA (Policy Server)	V6.0 or higher	Release version after 2025.10
Google OAuth 2.0	OIDC 1.0	Integratable as of 2025.10

Prerequisites

• Google Cloud Console project (Google Cloud Platform account required)
• Domain administrator privileges (when using Google Workspace)
• Genian ZTNA server in HTTPS environment

Purpose of Integration

Genian ZTNA and Google integration provides the following benefits:

• No need to manage separate user databases for ZTNA and Google authentication.
• Users can authenticate to ZTNA using SSO with their Google accounts.
• Provides secure authentication through the OIDC standard protocol.
• Utilizes Google Workspace users and permissions.

Supported Features

Google OIDC integration supports the following features:

• Authorization Code Flow (standard OIDC authentication flow)
• PKCE (Proof Key for Code Exchange) security enhancement
• Access Token and ID Token validation
• User information retrieval through UserInfo Endpoint

For more information on the above features, please refer to https://developers.google.com/identity/protocols/oauth2/openid-connect.

Integration Setup Method

The Genian ZTNA and Google configuration method covered in this guide provides only the essential items for integration. It is automatically applied after the initial one-time setup.

Step 1: Google Cloud Console Project Creation and Setup

1. Access https://console.cloud.google.com/ and log in with your Google account.

2. Create a new project or select an existing project.

   • Click the Create Project button.
   • Project Name: Enter "Genian ZTNA"
   • Organization or Folder: Select the appropriate organization (optional)
   • Click the Create button.

3. After selecting the project, go to APIs & Services > Library.

4. Search for and enable Google+ API (for user profile information retrieval).

   • Click Google+ API from the search results.
   • Click the Enable button.

Step 2: OAuth 2.0 Client ID Creation

1. Go to APIs & Services > Credentials.

2. Click Create Credentials button and select OAuth client ID.

3. If the OAuth consent screen is not set up, you need to configure the consent screen first.

   • Select External or Internal user type. (Internal recommended when using Google Workspace)
   • App Name: Enter "Genian ZTNA"
   • User Support Email: Enter administrator email
   • Developer Contact Information: Enter administrator email
   • Click Save and Continue button.

4. In the Scopes step, add the following scopes:

   • ../auth/userinfo.email: Email address verification
   • ../auth/userinfo.profile: Basic profile information verification
   • openid: OpenID Connect authentication

5. Continue creating the OAuth client ID:

   • Application Type: Select Web application

   • Name: Enter "Genian ZTNA Web Console"

   • Authorized JavaScript origins: Enter ZTNA server domain

     • e.g., https://test.genians.net

   • Authorized redirect URIs: Enter ZTNA Admin Console's OIDC callback URL

     • e.g., https://test.genians.net/mc2/faces/oidc/oidcCallback.xhtml

6. Click the Create button.

7. Copy and save the generated Client ID and Client secret in a secure location.

   • Client ID example: 123456789012-abcdef.apps.googleusercontent.com
   • Client secret example: GOCSPX-abcdef123456

Step 3: Genian ZTNA OIDC Configuration

1. In Genian ZTNA Web Console > Preferences > Environment Settings > Admin Console > OIDC Authentication > Identity Provider (IdP), copy and enter the following values from Google:

   • Provider Name - Enter "Google"
   • Issuer - https://accounts.google.com
   • Client ID - Google's Client ID.
   • Client Secret - Google's Client secret.
   • Use Discovery - Select "Off"

   {
       "issuer": "https://accounts.google.com",
       "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
       "token_endpoint": "https://oauth2.googleapis.com/token",
       "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
       "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs"
   }
   

   • Scope - Enter "openid profile email"

   • Additional Parameters (Optional) - You can enter Google-specific parameters in JSON format.

     {
         "access_type": "offline",
         "prompt": "consent"
     }
     

     Note

     Additional Parameters configures custom parameters to be included in the OIDC Authorization Request.

     Google Recommended Parameters:

     • access_type: "offline" - Request Refresh Token (long-term authentication)
     • prompt: "consent" - Display consent screen every time
     • prompt: "select_account" - Display account selection screen
     • hd: "example.com" - G Suite domain restriction
     • include_granted_scopes: "true" - Include previous permissions

     OIDC Standard Parameters:

     • ui_locales: "ko-KR" - UI language setting
     • login_hint: "user@example.com" - User email hint
     • max_age: "3600" - Maximum authentication validity time (seconds)

     For more details, refer to https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters.

2. To use JIT provisioning functionality, change JIT provisioning to 'On' in ZTNA.

   • In ZTNA UI's JIT provisioning > Additional Information, click the add button to set the user account's name and email.

     • Enter {family_name}{given_name} for the name.

     • Enter email for the email.

       • OIDC Claims (given_name, family_name, email) items are already defined as standard in Google.

3. Enter the text to display on the Google authentication button in Login Button Text that will be shown on the Genian ZTNA Web Console authentication screen.

   • Example: "Sign in with Google", "Google Login"

4. Click the Update button at the bottom of the Genian ZTNA Web Console configuration screen.

Note

Please ensure that the Client ID and Client secret are entered correctly. Using incorrect values will prevent authentication to ZTNA through OIDC.

Authentication Integration Testing Method

Testing from Genian ZTNA Web Console Page (SP-initiated SSO)

1. Access the Genian ZTNA Web Console page.
2. Click the OIDC Login button.
3. On the authentication screen, click the authentication button ("Sign in with Google") configured in Step 3 above.
4. A Google authentication page will be displayed in a new popup window.
5. Select a Google account or enter username and password to authenticate.
6. When Google displays the permission consent screen, click Allow.
7. Upon successful authentication, JWT ID Token and Access Token are received, user information is extracted, and you are logged into ZTNA.

Note

After setting up authentication integration, you must add the Google IdP domain to the Enforcement Policy permissions so that the authentication integration window is displayed even in a blocked state.

1. How to add permissions
2. Policy > Objects > Network
3. Select Tasks > Create
4. Enter General
5. Network Address > Select FQDN > Enter IdP domain
   - accounts.google.com
   - apis.google.com
   - www.googleapis.com
6. Click Create
7. Go to Permissions menu
8. Create permission using the created network object
9. Assign the created permission to the Enforcement Policy that controls endpoint networks