From ad9c8a28e534b6f7d9d704266ed9545ef1ff01c0 Mon Sep 17 00:00:00 2001
From: Brian Manifold <bmanifold@users.noreply.github.com>
Date: Thu, 30 Jan 2025 14:13:26 -0500
Subject: [PATCH] docs(portal): Update google directory sync docs (#7965)

Add docs related to Google directory sync around why there is a need for
a Google Workspace super admin when setting up directory sync.

---------

Signed-off-by: Brian Manifold <bmanifold@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
---
 .../identity_providers/google_workspace/components.ex    | 5 +++++
 website/src/app/kb/authenticate/google/readme.mdx        | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/elixir/apps/web/lib/web/live/settings/identity_providers/google_workspace/components.ex b/elixir/apps/web/lib/web/live/settings/identity_providers/google_workspace/components.ex
index 11e4e00db..3d18be888 100644
--- a/elixir/apps/web/lib/web/live/settings/identity_providers/google_workspace/components.ex
+++ b/elixir/apps/web/lib/web/live/settings/identity_providers/google_workspace/components.ex
@@ -18,6 +18,11 @@ defmodule Web.Settings.IdentityProviders.GoogleWorkspace.Components do
   def provider_form(assigns) do
     ~H"""
     <div class="max-w-2xl px-4 py-8 mx-auto lg:py-12">
+      <.flash kind={:info} style="wide" class="mb-4">
+        Please note that a Google Workspace Super Admin is <b>required</b>
+        to setup this Identity Provider. <br />For more information please see our
+        <.website_link path="/kb/authenticate/google">docs</.website_link>
+      </.flash>
       <.form for={@form} phx-change={:change} phx-submit={:submit}>
         <.step>
           <:title>Step 1. Create a new project in Google Cloud</:title>
diff --git a/website/src/app/kb/authenticate/google/readme.mdx b/website/src/app/kb/authenticate/google/readme.mdx
index 090b71f15..20d4dff44 100644
--- a/website/src/app/kb/authenticate/google/readme.mdx
+++ b/website/src/app/kb/authenticate/google/readme.mdx
@@ -30,6 +30,15 @@ minutes to ensure that your Firezone account remains up-to-date with the latest
 identity data from Google Workspace.
 [Read more](/kb/authenticate/directory-sync) about how sync works.
 
+<Alert color="warning">
+  If using directory sync with this provider, please note the setup will require
+  a Google Workspace Super Admin due to the need to manage domain wide
+  delegation. The need for domain wide delegation is due to the use of a service
+  account rather than a user account for accessing the Google Admin SDK API.
+  [Read
+  more](https://developers.google.com/cloud-search/docs/guides/delegation#delegate_domain-wide_authority_to_your_service_account)
+  on domain wide delegation and service accounts.
+</Alert>
 ## Setup
 
 Setting up the Google Workspace connector is similar to the process of setting