By default all apps deployed from a Teams or Enterprise workspace are private, which means that others in your company won't be able to view them unless you give them explicit permission. This doc will walk you through how to grant access to a certain set of users using Google OAuth for single sign-on.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a3698d31-a7b9-4af1-a8cc-a5697d1b12f4/Viewer_auth_(1).png

What is viewer auth?

Viewer auth allows you to restrict the viewers of your app using single sign-on (SSO), which means listing out the specified Gmail, G-Suite, and SSO-enabled email addresses and specified domains that your company uses.

<aside> ☑️ For example, your company email may be [email protected] but it's administered by Google (which means you go to mail.google.com or you use things like Drive and Google Sheets).

</aside>

Google OAuth is enabled by default, so if your company uses Google, you're good to go. If you've configured SSO for your organization via ADFS, Azure, Okta, or generic SAML, you will also be able to add email addresses and domains which are administered by those services. Read here for how to enable SSO for your org:

Integrating Single Sign-On with Streamlit for Teams

Once you have added someone's email address to your app's viewer list, that person will be able to sign in via Google Single Sign-On or your organization-specific Single Sign-On and view your app. If they are already logged in with that account in their browser (the usual case for most people) then they will automatically be able to view the app. If they are not logged in, or they have not been giving access, then they will see a page asking them to log in.

Granting access to your entire company

If you add an entire email domain, anyone with an email address which uses that domain will be able to view your app after authenticating themselves. For example, if "streamlit.io" is added to the list of allowed email domains, anyone with an email address that ends in "@streamlit.io" will be allowed to view the app.

Adding viewers for your app

<aside> 🚨 Before configuring viewer auth, you will need to create a private GitHub repository for your app. After pushing your app code to the repository, follow our guide to deploying apps in Streamlit for Teams.

</aside>

1. Login to your Streamlit dashboard.

Sign in and go to the main dashboard page. If you're having trouble with your dashboard see Linking Your GitHub and Google Accounts to Streamlit

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/9da6d18f-dde2-433a-9d8f-ec68fe2419b8/Screen_Shot_2021-05-21_at_7.56_1.png

2. Open settings for your app

Click the hamburger icon corresponding to the private app you've already deployed and select "Settings."

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/605003dc-994d-4e14-8042-d0657d65bcf4/Screen_Shot_2021-05-18_at_7.11_1.png

3. Add Viewers in Settings

Click on the "Viewers" section in the App Settings and in the text input area, provide a line-separated list of email addresses for the users you wish to grant viewer access to your app, or provide a line-separated list of allowed email address domains. Click "Save."

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a303a705-b8c6-4491-af3f-fece87b3b577/ViewerAuth_1.png