Google (OIDC) - CWP

This guide provides configuration instructions for integrating Genian ZTNA, a network access control system, with Google's authentication functionality.

Overview

Through OIDC APP integration between Genian ZTNA and Google solutions, user authentication can be performed via Google without the need to manage a separate Genian ZTNA user database.

For user authentication, the Genian ZTNA CWP page calls Google authentication using the OIDC (OpenID Connect) protocol, Google verifies user authentication status, and proper SSO is achieved.

Purpose of Integration

Genian ZTNA and Google integration provides the following benefits:

  • No need to manage separate user databases for ZTNA and Google authentication.
  • Users can authenticate to ZTNA using SSO with their Google accounts.
  • Provides secure user authentication through the OIDC standard protocol.
  • Utilizes Google Workspace users and permissions.

Supported Features

Google OIDC integration supports the following features:

  • Authorization Code Flow (standard OIDC authentication flow)
  • PKCE (Proof Key for Code Exchange) security enhancement
  • JIT (Just-In-Time) Provisioning
  • Access Token and ID Token validation
  • User information retrieval through UserInfo Endpoint
  • Google Workspace Groups integration (for organizational accounts)

Integration Setup Method

The Genian ZTNA and Google configuration method covered in this guide provides only the essential items for integration. It is automatically applied after the initial one-time setup.

Step 1: Google Cloud Console Project Creation and Setup

  1. Access https://console.cloud.google.com/ and log in with your Google account.

  2. Create a new project or select an existing project.

    • Click the Create Project button.
    • Project Name: Enter "Genian ZTNA CWP"
    • Organization or Folder: Select the appropriate organization (optional)
    • Click the Create button.

  3. After selecting the project, go to APIs & Services > Library.

  4. Search for and enable Google+ API (for user profile information retrieval).

    • Click Google+ API from the search results.
    • Click the Enable button.

Step 2: OAuth 2.0 Client ID Creation

  1. Go to APIs & Services > Credentials.

  2. Click Create Credentials button and select OAuth client ID.

  3. If the OAuth consent screen is not set up, you need to configure the consent screen first.

    • Select External or Internal user type. (Internal recommended when using Google Workspace)
    • Application Name: Enter "Genian ZTNA CWP"
    • User Support Email: Enter administrator email
    • Developer Contact Information: Enter administrator email
    • Click Save and Continue button.

  4. In the Scopes step, add the following scopes:

    • ../auth/userinfo.email: Email address verification
    • ../auth/userinfo.profile: Basic profile information verification
    • openid: OpenID Connect authentication

  5. Continue creating the OAuth client ID:

  6. Click the Create button.

  7. Copy and save the generated Client ID and Client secret in a secure location.

    • Client ID example: 123456789012-abcdef.apps.googleusercontent.com
    • Client secret example: GOCSPX-abcdef123456

Step 3: Genian ZTNA OIDC Configuration

  1. In Genian ZTNA Web Console > Preferences > User Authentication > Authentication Integration > OIDC Authentication Integration, copy and enter the following values from Google:

    • Provider Name - Enter "Google"
    • Issuer - https://accounts.google.com
    • Client ID - Google's Client ID.
    • Client Secret - Google's Client secret.
    • Use Discovery - Select "Off" (automatic endpoint discovery does not work)
    {
    "issuer": "https://accounts.google.com",
    "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "token_endpoint": "https://oauth2.googleapis.com/token",
    "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
    "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs"
}

    • Scope - Enter "openid profile email"

    • Additional Parameters (Optional) - You can enter Google-specific parameters in JSON format.

      {
    "access_type": "offline",
    "prompt": "consent"
}

      Note

      Additional Parameters configures custom parameters to be included in the OIDC Authorization Request.

      Google Recommended Parameters:

      • access_type: "offline" - Request Refresh Token (long-term authentication)
      • prompt: "consent" - Display consent screen every time
      • prompt: "select_account" - Display account selection screen
      • hd: "example.com" - G Suite domain restriction
      • include_granted_scopes: "true" - Include previous permissions

      OIDC Standard Parameters:

      • ui_locales: "ko-KR" - UI language setting
      • login_hint: "user@example.com" - User email hint
      • max_age: "3600" - Maximum authentication validity time (seconds)

      For more details, refer to https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters.

  2. To use JIT provisioning functionality, change JIT provisioning to 'On' in ZTNA.

    • In ZTNA UI's JIT provisioning > Additional Information, click the add button to set the user account's name and email.

      • Enter {family_name}{given_name} for the name.

      • Enter email for the email.

        • OIDC Claims (given_name, family_name, email) items are already defined as standard in Google.

  3. Enter the text to display on the Google authentication button in Login Button Text that will be shown on the Genian ZTNA CWP authentication screen.

    • Example: "Sign in with Google", "Google Login"

  4. Click the Update button at the bottom of the Genian ZTNA Web Console configuration screen.

Note

Please ensure that the Client ID and Client secret are entered correctly. Using incorrect values will prevent authentication to ZTNA CWP through OIDC.

Authentication Integration Testing Method

Testing from Genian ZTNA Web Console (SP-initiated SSO)

  1. Access the Web Console and click the Test button in Preferences > User Authentication > Authentication Integration > Authentication Test.
  2. In the popup window, select OIDC as the authentication information store.
  3. In the Provider selection screen, select the configured "Google" Provider.
  4. A Google authentication page will be displayed in a new popup window.
  5. Select a Google account or enter username and password to authenticate.
  6. When Google displays the permission consent screen, click Allow.
  7. If the 'Authentication successful' message is displayed, the authentication integration was successful.

Testing from Genian ZTNA CWP Page (SP-initiated SSO)

  1. Set the authentication method of the node policy's authentication policy to OIDC.
  2. Access the Genian ZTNA CWP page.
  3. Click the Authentication button on the CWP page.
  4. On the authentication screen, click the authentication button ("Sign in with Google") configured in Step 3 above.
  5. A Google authentication page will be displayed in a new popup window.
  6. Select a Google account or enter username and password to authenticate.
  7. When Google displays the permission consent screen, click Allow.
  8. Upon successful authentication, JWT ID Token and Access Token are received, user information is extracted, and you are logged into ZTNA CWP.

Note

After setting up authentication integration, you must add the Google IdP domain to the Enforcement Policy permissions so that the authentication integration window is displayed even in a blocked state.

1. How to add permissions
2. Policy > Objects > Network
3. Select Tasks > Create
4. Enter General
5. Network Address > Select FQDN > Enter IdP domain
   - accounts.google.com
   - apis.google.com
   - www.googleapis.com
6. Click Create
7. Go to Permissions menu
8. Create permission using the created network object
9. Assign the created permission to the Enforcement Policy that controls endpoint networks