TVL Managed Superset
Get started

Google Workspace SSO on Apache Superset 2026

Configure Google Workspace SSO on Apache Superset: OAuth, scopes, groups, mapping. Step-by-step.

· Tuvalu Tech OÜ

Configuring Google Workspace SSO on Apache Superset is a popular option for startups and SMBs using Google. It's quick to set up, reliable, and offers MFA via the Google account. This guide details the procedure in 2026.

1. Advantages

  • Setup < 30 min;
  • Recognized and popular Google MFA;
  • Automatic deprovisioning when a user leaves Workspace;
  • Centralized Google audit log.

If you want preconfigured Google SSO, TVL Managed Superset offers a Google wizard on Pro+ instances.

2. Prerequisites

  • A Google Workspace account (formerly Gsuite);
  • A verified domain in Google;
  • Access to GCP Console settings to create an OAuth client.

3. Create an OAuth client GCP

  1. GCP Console → APIs & Services → Credentials → Create OAuth client ID;
  2. Application type: Web application;
  3. Name: Apache Superset;
  4. Authorized redirect URI: https://superset.example.com/oauth-authorized/google;
  5. Save → note the client_id and client_secret.

4. Superset configuration

from flask_appbuilder.security.manager import AUTH_OAUTH

AUTH_TYPE = AUTH_OAUTH

OAUTH_PROVIDERS = [
    {
        "name": "google",
        "icon": "fa-google",
        "token_key": "access_token",
        "remote_app": {
            "client_id": os.environ["GOOGLE_CLIENT_ID"],
            "client_secret": os.environ["GOOGLE_CLIENT_SECRET"],
            "api_base_url": "https://www.googleapis.com/oauth2/v2/",
            "client_kwargs": {
                "scope": "openid email profile",
                "hd": "example.com",  # restrict to your domain
            },
            "request_token_url": None,
            "access_token_url": "https://accounts.google.com/o/oauth2/token",
            "authorize_url": "https://accounts.google.com/o/oauth2/auth",
        },
    }
]

AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Gamma"

The hd (hosted domain) parameter restricts access to @example.com accounts.

5. Role mapping via Google Groups

To map Google groups to Superset roles, two options:

Option A — Admin SDK

Retrieve groups via Google Admin SDK and map:

AUTH_ROLES_MAPPING = {
    "superset-admins@example.com":  ["Admin"],
    "superset-analysts@example.com": ["Alpha"],
    "superset-users@example.com":   ["Gamma"],
}
AUTH_ROLES_SYNC_AT_LOGIN = True

Requires a service account with scope admin.directory.group.readonly.

Option B — Custom userinfo

If Admin SDK is too complex, manually map users to roles in Superset (Settings → List Users).

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

6. Test

  1. Redeploy Superset;
  2. Go to /login;
  3. Click "Sign in with Google";
  4. Google authentication;
  5. Redirect to Superset.

7. Security

  • hd parameter mandatory to restrict to domain;
  • Disable local login in prod;
  • MFA enforced on Google Workspace side;
  • Session timeout aligned with Workspace policy.

8. Common pitfalls

  • Redirect URI mismatch: the slightest difference blocks;
  • Hd parameter ignored in "external" mode — check "internal" in GCP;
  • Unverified domain in Google Search Console: OAuth refuses;
  • Restrictive scopes: email minimum, profile recommended.

9. Conclusion

Google Workspace SSO on Apache Superset is one of the simplest integrations to set up. For a startup or SMB on Workspace, it's typically the right choice over OIDC via Keycloak (more complex). For multi-IdP organizations, OIDC via a broker remains preferable.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).

For more: SSO OIDC, SSO Microsoft Entra, hardening.