config: error if groups are used without service account

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

docs/docs/identity-providers/azure.md

@@ -121,6 +121,7 @@ IDP_PROVIDER="azure"
 IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0"
 IDP_CLIENT_ID="REPLACE-ME"
 IDP_CLIENT_SECRET="REPLACE-ME"
+IDP_SERVICE_ACCOUNT="REPLACE-ME-SEE-ABOVE"
 ```
 
 [client id]: ../../configuration/readme.md#identity-provider-client-id

docs/docs/identity-providers/google.md

@@ -86,7 +86,7 @@ IDP_PROVIDER="google"
 IDP_PROVIDER_URL="https://accounts.google.com"
 IDP_CLIENT_ID="yyyy.apps.googleusercontent.com"
 IDP_CLIENT_SECRET="xxxxxx"
-IDP_SERVICE_ACCOUNT="zzzz" # output of `cat service-account-key.json | base64`
+IDP_SERVICE_ACCOUNT="zzzz" # output of `base64 -i service-account-key.json`
 ```
 
 [client id]: ../../configuration/readme.md#identity-provider-client-id

docs/docs/identity-providers/readme.md

@@ -17,6 +17,7 @@ In this guide we'll cover how to do the following for each identity provider:
 1. Set a **[Redirect URL](https://www.oauth.com/oauth2-servers/redirect-uris/)** pointing back to Pomerium. For example, `https://${authenticate_service_url}/oauth2/callback`.
 2. Generate a **[Client ID]** and **[Client Secret]**.
 3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys.
+4. Configure Pomerium to synchronize directory data from your identity provider (e.g. groups membership), by setting a service account. 
 
 [client id]: ../../configuration/readme.md#identity-provider-client-id
 [client secret]: ../../configuration/readme.md#identity-provider-client-secret