Skip to main content

SSO with Google

This guide covers setting up Google sign-in for a DAGZ team deployment. After completing it, your team signs into the DAGZ console and the zb CLI with their Google accounts.

DAGZ provides the Google OIDC configuration for your deployment. You receive a dagz-google-oidc.json file from DAGZ during onboarding and upload it during first-time setup. You do not create an OAuth client in the Google Cloud Console.

Prerequisites

  • The DAGZ console URL. This guide uses https://dagz.example.com as a placeholder; substitute your own.
  • DAGZ deployed and reachable, with no auth provider configured yet.
  • The dagz-google-oidc.json file provided by DAGZ.

1. Run setup in the DAGZ console

  1. Open https://dagz.example.com in a browser.
  2. The first-time setup screen appears. Choose Google SSO.
  3. Click Choose file and upload dagz-google-oidc.json.
  4. Click Set Up. A Google sign-in prompt appears.
  5. Sign in with the account that should be the first DAGZ admin.
  6. You are now signed in as Admin.

The configuration is stored in the DAGZ database. Subsequent visits show a Google sign-in button on the login page.

2. Add more users

Only the bootstrap admin can sign in initially. Add other users through the admin console.

Two ways to grant access:

  • Per-user permit: grant a specific user (by email, e.g. [email protected]).
  • Per-domain permit: grant everyone in a Google Workspace domain (e.g. example.com) a default role. DAGZ reads the hd (hosted domain) claim from the Google ID token, which is only set for Workspace accounts.

In the DAGZ console: go to the admin section, choose Permits, and add an entry. The new user can then sign in with the same Google button.

CLI sign-in

Developers sign in once per machine:

zb login

The CLI opens a browser tab with a Google sign-in button. After signing in, the CLI receives a client certificate valid for 90 days.

Troubleshooting

"Error 400: redirect_uri_mismatch"

The redirect URI on DAGZ's OAuth client doesn't match the URL of your DAGZ deployment. This can happen if your console host changed after onboarding (for example, moved from a staging hostname to production). Contact DAGZ support with your console URL to have the OAuth client updated.

Domain permit doesn't match

DAGZ reads the hd claim from the ID token to match the domain permit. The hd claim is only present for Google Workspace accounts. Personal Gmail users won't satisfy a domain permit; grant them a per-user permit instead.