Setting up Google Workspace SSO for Dagster Cloud#

In this guide, you'll configure Google Workspace to use single sign-on (SSO) with your Dagster Cloud organization.

Prerequisites#

To complete the steps in this guide, you'll need:

• The following in Google:
  • An existing Google account
  • Workspace Admin permissions
• To install the dagster-cloud CLI
• The following in Dagster Cloud:
  • Access to a user token
  • Organization Admin permissions in your organization

Step 1: Add the Dagster Cloud app in Google Workspace#

1. Navigate to your Google Admin Console: https://admin.google.com

2. Using the sidebar, navigate to Apps > Web and mobile apps:

   

3. On the Web and mobile apps page, click Add App > Add custom SAML app:

   

   This opens a new page for adding app details.

Step 2: Configure SSO in Google Workspace#

1. On the App details page:

   1. Fill in the App name field.

   2. Fill in the Description field.

      The page should look similar to the following:

      

   3. Click Continue.

2. On the Google Identity Provider details page, click Continue. No action is required for this page.

3. On the Service provider details page:

   1. In the ACS URL and Entity ID fields:

      Copy and paste the following URL, replacing <organization_name> with your Dagster Cloud organization name:

      https://<organization_name>.dagster.cloud/auth/saml/consume
      

   2. Check the Signed Response box.

      The page should look similar to the image below. In this example, the organization's name is hooli and the Dagster Cloud domain is https://hooli.dagster.cloud:

      

   3. When finished, click Continue.

4. On the Attributes page:

   1. Click Add mapping to add and configure the following attributes:

      • Basic Information > First Name - FirstName
      • Basic Information > Last Name - LastName
      • Basic Information > Email - Email

      The page should look like the following image:

      

   2. Click Finish.

Step 3: Upload the SAML metadata to Dagster Cloud#

Next, you'll save and upload the application's SAML metadata to Dagster Cloud. This will enable single sign-on.

1. In your Google Workspace, open the Dagster Cloud application you added in Step 2.

2. Click Download metadata:

   

3. In the modal that displays, click Download metadata to start the download. Save the file to your computer.

4. After you've downloaded the SAML metadata file, upload it to Dagster Cloud using the dagster-cloud CLI:

   dagster-cloud organization settings saml upload-identity-provider-metadata <the_path/to/metadata> \
      --api-token=<user_token> \
      --url https://<your_organization_name>.dagster.cloud
   

Step 4: Grant access to users#

In this step, you'll assign users in your Google Workspace to the Dagster Cloud application. This allows members of the workspace to log in to Dagster Cloud using their credentials when the single sign-on flow is initiated.

1. In the Google Workspace Dagster Cloud application, click User access.

2. Select an organizational unit.

3. Click ON for everyone.

4. Click Save.

   

Step 5: Test your SSO configuration#

Lastly, you'll test your SSO configuration:

• Service provider (SP)-initiated login
• Identity provider (idP)-initiated login

Testing a service provider-initiated login#

1. Navigate to your Dagster Cloud sign in page at https://<organization_name>.dagster.cloud

2. Click the Sign in with SSO button.

3. Initiate the login flow and address issues that arise, if any.

Testing an identity provider-initiated login#

In the Google Workspace portal, click on the Dagster Cloud icon. If successful, you'll be automatically signed into your Dagster Cloud organization.