Skip to main content

Google Chrome connector

authentik: 2026.5.0+Enterprise

With this connector, authentik can validate users' Chrome browsers and ensure that users' devices are compliant and up-to-date.

Support for the Chrome Enterprise Device Trust connector allows organizations to integrate Chrome browsers and ChromeOS devices with authentik as the Identity Provider (IdP), to strengthen their overall security posture.

Device Trust is particularly important in environments with many different device types that are used by a large, remote workforce that might have a BYOD (Bring Your Own Device) policy, or have large teams of contractors, temporary workers, or volunteers.

With Device Trust you can enable "context-aware" access policies; for example a policy might require that a device have all security patches installed.

info

This connector only works with Google Chrome, as it relies on the Chrome Verified Access API.

Configuration

The main steps to set up your Google workspace are as follows:

For detailed instructions, refer to Google documentation.

Create a Google cloud project

  1. Log in to the Google Cloud Console as an administrator.
  2. In the upper left, click the drop-down box to open the Select a project box, and then select New Project.
  3. Create a new project and give it a name like "authentik Chrome Device Trust".
  4. Use the search bar at the top of your new project page to search for "API Library".
  5. On the API Library page, use the search bar again to find "Chrome Verified Access API".
  6. On the Chrome Verified Access API page, click Enable.

Create a service account

  1. After the new Chrome Verified Access API is enabled (it might take a few minutes), return to the Google Cloud console home page (click on Google Cloud in the upper left).
  2. Use the search bar to find and navigate to the IAM page.
  3. On the IAM page, click Service Accounts in the left navigation pane.
  4. At the top of the Service Accounts page, click Create Service Account.
  • Under Service account details page, define the Name and Description for the new service account, and then click Create and Continue.
  • Under Grant this service account access to project you do not need to define a role, so click Continue.
  • Under Grant users access to project you do not need to define a role, so click Done to complete the creation of the service account.

Set credentials for the service account

  1. On the Service accounts page, click the account that you just created.
  2. Click the Keys tab at top of the page, then click Add Key > Create new key.
  3. In the Create box, select JSON as the key type, and then click Create. A pop-up displays with the private key, and the key is saved to your computer as a JSON file. Later, when you create the connector in authentik, you will add this key in the Credentials field.
  4. On the service account page, click the Details tab, and expand the Advanced settings area.
  5. Log in to the Admin Console, and then navigate to Chrome browser > Connectors.
  6. Click on New Provider Configuration.
  7. Under Universal Device Trust, click Set up.
  8. Provide a name and set the URL to https://authentik.company/endpoint/gdtc/chrome/.
  9. Under Service accounts, enter the full name of the service account created above, for example authentik-gdtc@authentik-enterprise-dev.iam.gserviceaccount.com.

Create the connector

  1. Log in to authentik as an administrator and open the authentik Admin interface.

  2. Navigate to Endpoint Devices > Connectors and click Create.

  3. Select Google Device Trust Connector as the connector type, click Next, and configure the following settings:

    • Name: define a descriptive name, such as "chrome-device-trust".
    • Google Verified Access API
      • Credentials: paste the contents of the JSON file (the key) that you downloaded earlier.

  4. Click Finish.

After creating the connector, it can be used in the Endpoint Stage. Refer to Device compliance policy for more information on using device facts from the connector in a flow.