From my experience and reading the documentation, there's no way to currently allow admin-registered Google accounts to login via SSO and restrict auto-registration to a specific domain. Could someone else please confirm?
- We have an instance of Metabase running in Heroku and connected to our data sources. It works great!
- We have Google SSO configured on our Metabase instance so that our Users can use Google authentication with 2FA.
- We have restricted auto-registration to our primary domain in the Google SSO config because, y'know, security.
- We have manually added Users with
gmail.com
addresses and other Google-registered domains, representing contractors.
When a contractor attempts to use Google SSO with their gmail.com
account, they get a rather intimidating OAuth error message from Google indicating that we're restricting logins by domain. From the documentation for Single Sign On (SSO):
Enabling account creation with Google Sign-In
If you’ve added your Google client ID to your Metabase settings you can also let users sign up on their own without creating accounts for them.
To enable this, go to the Google Sign-In configuration page, and specify the email domain you want to allow. For example, if you work at WidgetCo you could enter
widgetco.com
in the field to let anyone with a company email sign up on their own.Note: Metabase accounts created with Google Sign-In do not have passwords and must use Google to sign in to Metabase.
In practice, it seems this config setting restricts more than just auto-registration? Is there perhaps a misconfiguration in our Google app? Have others experienced this as well?