SSO with Google
This guide covers setting up Google sign-in for a DAGZ team deployment.
After completing it, your team signs into the DAGZ console and the zb CLI with their Google accounts.
Prerequisites
- A Google Cloud project for the customer organization.
- IAM rights to create OAuth credentials in that project.
- The DAGZ console URL.
This guide uses
https://dagz.example.comas a placeholder; substitute your own. - DAGZ deployed and reachable, with no auth provider configured yet.
1. Configure the OAuth consent screen
Open APIs & Services > OAuth consent screen in the Google Cloud Console.
Pick the user type:
- Internal: only users in your Google Workspace can sign in. Recommended for company deployments.
- External: any Google account. Use only for testing or open communities.
Fill in the app name, user support email, and developer contact.
Add the scopes openid, email, profile under Scopes.
Save and continue.
2. Create the OAuth client
Go to APIs & Services > Credentials and click Create Credentials > OAuth client ID.
Configure:
- Application type: Web application.
- Name:
DAGZ(or any internal label). - Authorized JavaScript origins: add
https://dagz.example.com. - Authorized redirect URIs: add
https://dagz.example.com.
Click Create. A dialog shows the new client ID and secret.
3. Download the credentials file
From the OAuth client's row in the credentials list, click the download icon and choose Download JSON.
Save the file as dagz-google-oidc.json.
The file looks like this (values truncated):
{
"web": {
"client_id": "...apps.googleusercontent.com",
"project_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "...",
"javascript_origins": ["https://dagz.example.com"]
}
}
DAGZ uses the file as-is. You don't need to edit it.
4. Run setup in the DAGZ console
- Open
https://dagz.example.comin a browser. - The first-time setup screen appears. Choose Google SSO.
- Click Choose file and upload
dagz-google-oidc.json. - Click Set Up. A Google sign-in prompt appears.
- Sign in with the account that should be the first DAGZ admin.
- You are now signed in as Admin.
The configuration is stored in the DAGZ database. Subsequent visits show a Google sign-in button on the login page.
5. Add more users
Only the bootstrap admin can sign in initially. Add other users through the admin console.
Two ways to grant access:
- Per-user permit: grant a specific user (by email, e.g.
[email protected]). - Per-domain permit: grant everyone in a Google Workspace domain (e.g.
example.com) a default role. DAGZ reads thehd(hosted domain) claim from the Google ID token, which is only set for Workspace accounts.
In the DAGZ console: go to the admin section, choose Permits, and add an entry. The new user can then sign in with the same Google button.
CLI sign-in
Developers sign in once per machine:
zb login
The CLI opens a browser tab with a Google sign-in button. After signing in, the CLI receives a client certificate valid for 90 days.
Troubleshooting
"Error 400: redirect_uri_mismatch"
The redirect URI in the OAuth client doesn't match what DAGZ is sending.
Add https://dagz.example.com (no trailing slash, no path) to Authorized redirect URIs and Authorized JavaScript origins.
"Access blocked: This app's request is invalid"
The OAuth consent screen is incomplete or in testing mode with the user not on the test users list. Either publish the app, switch the user type to Internal, or add the user under Test users.
Domain permit doesn't match
DAGZ reads the hd claim from the ID token to match the domain permit.
The hd claim is only present for Google Workspace accounts.
Personal Gmail users won't satisfy a domain permit; grant them a per-user permit instead.