.. _oidc-google:

Google (OIDC) - CWP
===================

This guide provides configuration instructions for integrating Genian ZTNA, a network access control system, with Google's authentication functionality.

Overview
--------

Through OIDC APP integration between Genian ZTNA and Google solutions, user authentication can be performed via Google without the need to manage a separate Genian ZTNA user database.

For user authentication, the Genian ZTNA CWP page calls Google authentication using the OIDC (OpenID Connect) protocol, Google verifies user authentication status, and proper SSO is achieved.

Recommended Versions
---------------------

.. csv-table::
    :header: Product Name (Component),Version,Notes
    :class: longtable
    :widths: 30 30 40

    Genian ZTNA (Policy Server),V6.0 or higher,Release version after 2025.10
    Google OAuth 2.0,OIDC 1.0,Integratable as of 2025.10

Purpose of Integration
----------------------

Genian ZTNA and Google integration provides the following benefits:

    - No need to manage separate user databases for ZTNA and Google authentication.
    - Users can authenticate to ZTNA using SSO with their Google accounts.
    - Provides secure user authentication through the OIDC standard protocol.
    - Utilizes Google Workspace users and permissions.

Supported Features
------------------
Google OIDC integration supports the following features:
    
- Authorization Code Flow (standard OIDC authentication flow)
- PKCE (Proof Key for Code Exchange) security enhancement
- JIT (Just-In-Time) Provisioning
- Access Token and ID Token validation
- User information retrieval through UserInfo Endpoint
- Google Workspace Groups integration (for organizational accounts)

    
Integration Setup Method
-------------------------

The Genian ZTNA and Google configuration method covered in this guide provides only the essential items for integration. It is automatically applied after the initial one-time setup.

Step 1: Google Cloud Console Project Creation and Setup
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    #. Access https://console.cloud.google.com/ and log in with your Google account.
    
    #. Create a new project or select an existing project.
    
        - Click the **Create Project** button.
        - **Project Name**: Enter "Genian ZTNA CWP"
        - **Organization or Folder**: Select the appropriate organization (optional)
        - Click the **Create** button.
    
    #. After selecting the project, go to **APIs & Services > Library**.
    
    #. Search for and enable **Google+ API** (for user profile information retrieval).
    
        - Click **Google+ API** from the search results.
        - Click the **Enable** button.

Step 2: OAuth 2.0 Client ID Creation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    #. Go to **APIs & Services > Credentials**.
    
    #. Click **Create Credentials** button and select **OAuth client ID**.
    
    #. If the OAuth consent screen is not set up, you need to configure the consent screen first.
    
        - Select **External** or **Internal** user type. (Internal recommended when using Google Workspace)
        - **Application Name**: Enter "Genian ZTNA CWP"
        - **User Support Email**: Enter administrator email
        - **Developer Contact Information**: Enter administrator email
        - Click **Save and Continue** button.
        
    #. In the **Scopes** step, add the following scopes:
    
        - **../auth/userinfo.email**: Email address verification
        - **../auth/userinfo.profile**: Basic profile information verification
        - **openid**: OpenID Connect authentication
        
    #. Continue creating the OAuth client ID:
    
        - **Application Type**: Select **Web application**
        - **Name**: Enter "Genian ZTNA CWP"
        - **Authorized JavaScript origins**: Enter ZTNA server domain
        
            - e.g., https://test.genians.net
            
        - **Authorized redirect URIs**: Enter ZTNA CWP's OIDC callback URL
        
            - e.g., https://test.genians.net/cwp2/faces/oidc/oidcCallback.xhtml
            
    #. Click the **Create** button.
    
    #. Copy and save the generated **Client ID** and **Client secret** in a secure location.
    
        - **Client ID** example: 123456789012-abcdef.apps.googleusercontent.com
        - **Client secret** example: GOCSPX-abcdef123456

Step 3: Genian ZTNA OIDC Configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    #. In Genian ZTNA **Web Console > Preferences > User Authentication > Authentication Integration > OIDC Authentication Integration**, copy and enter the following values from Google:
     
       - **Provider Name** - Enter "Google"
       - **Issuer** - https://accounts.google.com
       - **Client ID** - Google's **Client ID**.
       - **Client Secret** - Google's **Client secret**.
       - **Use Discovery** - Select "Off" (automatic endpoint discovery does not work)
        
       .. code:: json

        {
            "issuer": "https://accounts.google.com",
            "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
            "token_endpoint": "https://oauth2.googleapis.com/token",
            "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
            "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs"
        }

       - **Scope** - Enter "openid profile email"
       - **Additional Parameters** (Optional) - You can enter Google-specific parameters in JSON format.

         .. code:: json

             {
                 "access_type": "offline",
                 "prompt": "consent"
             }

         .. note::
             **Additional Parameters** configures custom parameters to be included in the OIDC Authorization Request.

             **Google Recommended Parameters:**

             - ``access_type: "offline"`` - Request Refresh Token (long-term authentication)
             - ``prompt: "consent"`` - Display consent screen every time
             - ``prompt: "select_account"`` - Display account selection screen
             - ``hd: "example.com"`` - G Suite domain restriction
             - ``include_granted_scopes: "true"`` - Include previous permissions

             **OIDC Standard Parameters:**

             - ``ui_locales: "ko-KR"`` - UI language setting
             - ``login_hint: "user@example.com"`` - User email hint
             - ``max_age: "3600"`` - Maximum authentication validity time (seconds)

             For more details, refer to https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters.

    #. To use JIT provisioning functionality, change **JIT provisioning** to 'On' in ZTNA.
            
        - In ZTNA UI's **JIT provisioning > Additional Information**, click the add button to set the user account's name and email.

            - Enter **{family_name}{given_name}** for the name.
            - Enter **email** for the email.

                - OIDC Claims (given_name, family_name, email) items are already defined as standard in Google.

    #. Enter the text to display on the Google authentication button in **Login Button Text** that will be shown on the Genian ZTNA CWP authentication screen.
    
        - Example: "Sign in with Google", "Google Login"
        
    #. Click the **Update** button at the bottom of the Genian ZTNA Web Console configuration screen.

    .. note:: Please ensure that the Client ID and Client secret are entered correctly. Using incorrect values will prevent authentication to ZTNA CWP through OIDC.


Authentication Integration Testing Method
-----------------------------------------

    **Testing from Genian ZTNA Web Console (SP-initiated SSO)**

    #. Access the Web Console and click the **Test** button in **Preferences > User Authentication > Authentication Integration > Authentication Test**.
    #. In the popup window, select **OIDC** as the authentication information store.
    #. In the Provider selection screen, select the configured "Google" Provider.
    #. A Google authentication page will be displayed in a new popup window.
    #. Select a Google account or enter username and password to authenticate.
    #. When Google displays the permission consent screen, click **Allow**.
    #. If the 'Authentication successful' message is displayed, the authentication integration was successful.

    **Testing from Genian ZTNA CWP Page (SP-initiated SSO)**

    #. Set the authentication method of the node policy's authentication policy to **OIDC**.
    #. Access the Genian ZTNA CWP page.
    #. Click the **Authentication** button on the CWP page.
    #. On the authentication screen, click the authentication button ("Sign in with Google") configured in Step 3 above.
    #. A Google authentication page will be displayed in a new popup window.
    #. Select a Google account or enter username and password to authenticate.
    #. When Google displays the permission consent screen, click **Allow**.
    #. Upon successful authentication, JWT ID Token and Access Token are received, user information is extracted, and you are logged into ZTNA CWP.
    
    .. note:: After setting up authentication integration, you must add the Google IdP domain to the control policy permissions so that the authentication integration window is displayed even in a blocked state.
    
    .. code:: bash

        1. How to add permissions
        2. Policy > Objects > Network
        3. Select Action > Create
        4. Enter basic information
        5. Network Address > Select FQDN > Enter IdP domain
           - accounts.google.com
           - apis.google.com
           - www.googleapis.com
        6. Click Create
        7. Go to Permissions menu
        8. Create permission using the created network object
        9. Assign the created permission to the control policy that controls endpoint networks

.. _OIDC: https://openid.net/connect/