Single Sign-On (SSO)
Warden supports Single Sign-On via Google OAuth. Once configured, users can sign in with their Google account instead of a username and password.
Setting Up Google SSO
Section titled “Setting Up Google SSO”1. Create Google OAuth Credentials
Section titled “1. Create Google OAuth Credentials”- Go to the Google Cloud Console
- Create or select a project
- Navigate to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Select Web application
- Add your Warden callback URL as an authorized redirect URI:
https://your-warden-instance.com/api/auth/sso/google/callback
- Copy the Client ID and Client Secret
2. Configure Warden
Section titled “2. Configure Warden”- Log in as an admin
- Go to Settings → Security → SSO
- Enter your Client ID and Client Secret
- Click Test to validate
- Toggle Enable Google SSO on
- Save
The Sign in with Google button now appears on the login page.
Configuration Options
Section titled “Configuration Options”| Setting | Default | Description |
|---|---|---|
| Client ID | — | From Google Cloud Console |
| Client Secret | — | From Google Cloud Console (masked after saving) |
| Redirect URL | Auto-detected | Override only if using a custom proxy setup |
| Allowed Domains | All | Comma-separated list of email domains (e.g., company.com, partner.org) |
| Auto-Provision | On | Automatically create accounts for new Google users |
Domain Restrictions
Section titled “Domain Restrictions”Restrict SSO to specific email domains. When configured, only users with matching domains can sign in. Leave empty to allow any Google account.
Matching is case-insensitive.
Auto-Provisioning
Section titled “Auto-Provisioning”When enabled (default): Users signing in with Google for the first time are automatically created with the Viewer role. Their display name, email, and avatar are populated from Google.
When disabled: Only users with existing accounts can sign in via Google. New users see a “no account found” error. Admins must create accounts manually first.
Account Linking
Section titled “Account Linking”| Scenario | What Happens |
|---|---|
| New Google user, no matching email | New account created (if auto-provision is on) |
| Google email matches an SSO-only account | Accounts are linked automatically |
| Google email matches a password-protected account | Blocked — prevents account takeover |
SSO-Only Users
Section titled “SSO-Only Users”Users created through SSO have no password — they can only sign in via Google. An admin can set a password for them if local login is also needed.
Troubleshooting
Section titled “Troubleshooting”| Error | Solution |
|---|---|
| ”Google SSO is not configured” | Check Client ID and Client Secret in Settings |
| ”Your email domain is not allowed” | Add the domain to Allowed Domains or clear the field |
| ”No account found” | Enable auto-provision or create the user manually |
| ”Google sign-in was cancelled” | The user needs to approve the Google consent screen |
| ”Email address is not verified” | The user needs to verify their email in Google account settings |