docs: document unified Google + BigQuery SSO consent option

self-host/customize-deployment/environment-variables.mdx

@@ -383,8 +383,9 @@ These variables enable you to configure Google Cloud Platform integration.
 | :------------------------ | :------------------------------------------------------------------- |
 | `GOOGLE_CLOUD_PROJECT_ID` | Google Cloud Platform project ID                                     |
 | `GOOGLE_DRIVE_API_KEY`    | Google Drive API key                                                 |
-| `AUTH_GOOGLE_ENABLED`     | Enables Google authentication (default=false)                        |
-| `AUTH_ENABLE_GCLOUD_ADC`  | Enables Google Cloud Application Default Credentials (default=false) |
+| `AUTH_GOOGLE_ENABLED`                | Enables Google authentication (default=false)                                                                                                                  |
+| `AUTH_ENABLE_GCLOUD_ADC`             | Enables Google Cloud Application Default Credentials (default=false)                                                                                           |
+| `AUTH_GOOGLE_INCLUDE_BIGQUERY_SCOPE` | When `true`, bundles the BigQuery scope into the Google login flow so BigQuery SSO users complete a single consent screen instead of two (default=false)      |
 
 ## Embedding
 

self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash.mdx

@@ -141,9 +141,22 @@ These environment variables must be provided to Lightdash to enable you to contr
 
 | Variable                           | Description                                 | Required? | Default |
 | :---------------------------------- | :------------------------------------------- | :---------: | :-------: |
-| `AUTH_GOOGLE_ENABLED`              | Required to be set to `true` for Google SSO | <Icon icon="square-check" iconType="solid"/>         |         |
-| `AUTH_GOOGLE_OAUTH2_CLIENT_ID`     | Required see instructions above             | <Icon icon="square-check" iconType="solid"/>         |         |
-| `AUTH_GOOGLE_OAUTH2_CLIENT_SECRET` | Required see instructions above             | <Icon icon="square-check" iconType="solid"/>         |         |
+| `AUTH_GOOGLE_ENABLED`                  | Required to be set to `true` for Google SSO                                                                                            | <Icon icon="square-check" iconType="solid"/>         |         |
+| `AUTH_GOOGLE_OAUTH2_CLIENT_ID`         | Required see instructions above                                                                                                        | <Icon icon="square-check" iconType="solid"/>         |         |
+| `AUTH_GOOGLE_OAUTH2_CLIENT_SECRET`     | Required see instructions above                                                                                                        | <Icon icon="square-check" iconType="solid"/>         |         |
+| `AUTH_GOOGLE_INCLUDE_BIGQUERY_SCOPE`   | When `true`, bundles the BigQuery scope into the Google login flow so BigQuery SSO users see a single consent screen instead of two    |                                                      | `false` |
+
+### Combine BigQuery SSO consent with Google login
+
+If you use [BigQuery SSO](/references/workspace/sso-providers#warehouse-sso-enterprise-only) to give users per-user warehouse credentials, set `AUTH_GOOGLE_INCLUDE_BIGQUERY_SCOPE=true` to request the BigQuery scope during the initial Google login. Users will complete one consent screen that covers both Lightdash login and BigQuery warehouse access instead of two separate OAuth flows.
+
+When enabled, Lightdash also requests offline access with a forced consent prompt so Google returns a refresh token for the BigQuery connection. Leave this unset (or `false`) if you do not use BigQuery SSO.
+
+Before enabling this option:
+
+- Confirm Google SSO is configured and working (`AUTH_GOOGLE_ENABLED=true`).
+- Add the `https://www.googleapis.com/auth/bigquery` scope to your OAuth consent screen in Google Cloud.
+- Enable BigQuery SSO at the project level for the warehouse connections that should use it.
 
 ## One Login