Allow Google SSO for registered accounts but while restricting registration by domain

AL_the_X · March 6, 2021, 5:01pm

From my experience and reading the documentation, there's no way to currently allow admin-registered Google accounts to login via SSO and restrict auto-registration to a specific domain. Could someone else please confirm?

We have an instance of Metabase running in Heroku and connected to our data sources. It works great!
We have Google SSO configured on our Metabase instance so that our Users can use Google authentication with 2FA.
We have restricted auto-registration to our primary domain in the Google SSO config because, y'know, security.
We have manually added Users with gmail.com addresses and other Google-registered domains, representing contractors.

When a contractor attempts to use Google SSO with their gmail.com account, they get a rather intimidating OAuth error message from Google indicating that we're restricting logins by domain. From the documentation for Single Sign On (SSO):

Enabling account creation with Google Sign-In

If you’ve added your Google client ID to your Metabase settings you can also let users sign up on their own without creating accounts for them.

To enable this, go to the Google Sign-In configuration page, and specify the email domain you want to allow. For example, if you work at WidgetCo you could enter widgetco.com in the field to let anyone with a company email sign up on their own.

Note: Metabase accounts created with Google Sign-In do not have passwords and must use Google to sign in to Metabase.

In practice, it seems this config setting restricts more than just auto-registration? Is there perhaps a misconfiguration in our Google app? Have others experienced this as well?

flamber · March 6, 2021, 8:06pm

Hi @AL_the_X
Setting the domain means that all Google logins have to validate to that domain. Otherwise it would be possible to transfer a Google account to a different domain and still keep access, which would likely not be preferred, so it’s strict by default.
You would have to create an account for the contractor on your domain - or allow regular email+password for that login.

AL_the_X · March 6, 2021, 10:36pm

The security constraints are totally understandable, and I appreciate the confirmation. It seems like there’s a conflation of configuration options, though, and maybe one missing:

Restrict auto-registrations to a specific domain, so that random Google accounts, i.e. gmail.com, cannot get access to your instance by pushing the “Login with Google” button. They have to be added to Users by an Admin first.
Restrict authentication to a specific domain so that Users must belong to that domain, even if added by an Admin, so that Admin exploits can’t be used to grant access outside of your domain.
Require authentication through Google (or LDAP) and prohibit username and password auth completely, so that a User that has been deactivated at the SSO provider cannot access the instance with password credentials at all.

AFAICT, there’s no way to configure Metabase for two of the the scenarios above, correct?

flamber · March 7, 2021, 9:35am

@AL_the_X Only the Enterprise Edition has the option to disable password logins:
https://www.metabase.com/docs/latest/enterprise-guide/authenticating-with-saml.html#disabling-password-log-in