Overview
This integration allows your users to sign in to Fiddler using their existing Google account, without needing a separate Fiddler password. Users are automatically provisioned on their first successful login — no manual invitations required.Google OIDC does not support group synchronization — Google does not include group membership in its OIDC tokens. Users are provisioned individually; assign them to Fiddler teams and roles manually.
Prerequisites
Before starting, ensure you have:- Google Cloud Access: Permissions to create and configure OAuth 2.0 credentials in a Google Cloud project.
- Fiddler AuthN Administrator Access: Org Owner role in Fiddler’s AuthN management console.
- Deployment Information: The hostname of your Fiddler deployment, e.g.
idpexample.dev.fiddler.ai.
Configuring Google
Fiddler requires two redirect URIs on the Google OAuth client. You will add both when creating the client below:
https://authn-{base_url}/ui/login/login/externalidp/callbackhttps://authn-{base_url}/idps/callback
{base_url} with your Fiddler deployment host (e.g. idpexample.dev.fiddler.ai).Configure the OAuth Consent Screen
- In the Google Cloud Console, select your project and go to APIs & Services → OAuth consent screen.
- In App information, enter the App name and User support email.
- In Audience, select Internal or External depending on your organization’s setup and access requirements.
- In Contact Information, add the required email addresses.
- Agree to the Google API Services: User Data Policy, then select Create.
If you selected External, the app starts in testing mode — only accounts added under Test users can sign in until you publish the app (set it to In production). See Manage app audience for details.
Create an OAuth 2.0 Client
-
Go to APIs & Services → Credentials, then select Create Credentials → OAuth client ID.

-
Select Web application for the Application type and enter a name, e.g.
Fiddler IdP Example. -
Under Authorized redirect URIs, add both redirect URIs (replace the host with your deployment):
https://authn-idpexample.dev.fiddler.ai/ui/login/login/externalidp/callbackhttps://authn-idpexample.dev.fiddler.ai/idps/callback

- Select Create.
-
Copy the Client ID and Client Secret — you will need them when configuring Fiddler.

Configuring Fiddler
Fiddler AuthN Console Sign-in
The URL to the Fiddler AuthN management console is your Fiddler instance base URL prepended with
authn-. For example, if your Fiddler base URL is https://idpexample.dev.fiddler.ai then you will access the AuthN management console at https://authn-idpexample.dev.fiddler.ai.
Select Your Organization
Ensure your organization is selected in the dropdown. You may see the fiddler organization, but this is reserved for system use and should not be edited. Here we are using the idpexample organization.

Navigate to Identity Providers in Settings
Select Settings tab from the top menu and then select Identity Providers from the left navigation menu.

Add a New Google Provider
- Select the Google option in the Add provider section, which brings up the Google Provider form.
-
Note the callback URL shown in the form — it corresponds to the redirect URIs you registered in Google earlier, so no further changes are needed in Google.

Configure the Google Provider in Fiddler
In the Google Provider form, paste the Client ID and Client Secret copied from Google earlier.

Configure Additional Parameters
- Expand the optional section.
-
Ensure the Scopes List includes
openid,profile, andemail. - Ensure the Automatic create and Automatic update checkboxes are selected.
-
Set the Determines whether an identity will be prompted to be linked to an existing account dropdown to Check for existing Username.

Save the Configuration Changes
Select the Create button and then select the Save button. You will be returned to the Organization Settings page.

Activate the Google OIDC IdP
-
Select your IdP from the list and select the Activate button on the identity provider page.

-
Close the settings and then select Login Behavior and Security from the left nav menu and ensure the External login allowed checkbox is selected.

-
Select the Save button.

Create a Custom Action
Select the Actions tab from the top menu.

- Select the New button in the Scripts section to create a new action script.
- Copy the Google OIDC Action Script below and paste it into the script text area.
- Enter
setAttributesOnGoogleOIDCAuthin the Name text box. - Select the Add button.
Google OIDC Action ScriptConfigure the Action Trigger
Scroll down to the Flows section.

- Select the External Authentication option for the Flow Type dropdown.
- Select the + Add trigger button.
- Select the Post Authentication option for the Trigger Type dropdown.
- Select the setAttributesOnGoogleOIDCAuth option for the Actions dropdown.
- Select the Save button.
Set the Organization SSO Authentication Type
Add an organization metadata key so Fiddler can correctly identify and process this SSO connection. Set this once during setup.
-
Go to the Metadata section and select Edit.

-
Select the Add button, then enter the key
fiddler_sso_authentication_typewith the valueSSO:GOOGLE:OIDC.
- Select the Save button next to the new entry.
Validate the Integration
Before validating, make sure your Google account can sign in: for an Internal consent screen it must belong to your Google Workspace organization; for an External app still in testing it must be added as a Test user.
-
Open your Fiddler URL (e.g.
https://idpexample.dev.fiddler.ai). -
Ensure you see the Fiddler sign-in page and that it displays the Google SSO login button.

-
Select the button and confirm that the Fiddler application loads.

The first user to sign in to the Fiddler application is automatically assigned the Fiddler Org Admin role; subsequent members are Org Members by default.
Getting Help
If sign-in fails, verify the OAuth client configuration in the Google Cloud Console (redirect URIs, consent screen status, client credentials). For Fiddler-side issues, see the SSO Authentication Guide. If the issue persists, contact your Fiddler representative with the specific error message.Important Notes
- Data Storage: Fiddler stores the following profile attributes from Google: first name, last name, display name, and email address.
- No Group Synchronization: Google OIDC does not provide group membership, so group sync to Fiddler teams is not available. Assign users to teams and roles manually.
- API Access: For programmatic API access, users create an API key from the Credentials tab in Fiddler’s Settings page.
- Single Authentication Method: Users can only authenticate via either SSO or email authentication, not both.
Next Steps
After successful integration:- Train Users: Provide guidance on accessing Fiddler through Google SSO.
- Assign Roles: Manually assign users to the appropriate Fiddler teams and roles after their first login.
- Monitor Usage: Review authentication logs and user access patterns.