Integrate your identity provider using OIDC
Firezone supports Single Sign-On (SSO) via OpenID Connect (OIDC).
Supported identity providers
In general, most identity providers that offer OIDC support work with Firezone. Some providers that only implement the OIDC partially or use uncommon configurations may have issues, however. If your identity provider falls into this category, contact us about a custom integration.
The following OIDC providers are known to work well with Firezone:
|Azure Active Directory||Fully tested and supported||Ensure the |
|Okta||Fully tested and supported|
|Onelogin||Fully tested and supported|
|Keycloak||Fully tested and supported|
|Auth0||Fully tested and supported||Auth0 does not provide an |
|Google Workspace||Fully tested and supported||Google does not provide an |
|Zitadel||Untested but known to work|
|Authentik||Untested but known to work|
General setup guide
If you're using an OIDC provider not listed above, the following OIDC attributes are required for setting up an OIDC provider in Firezone:
discovery_document_uri: The OpenID Connect provider configuration URI which returns a JSON document used to construct subsequent requests to this OIDC provider. Some providers refer to this as the "well-known URL".
client_id: The client ID of the application.
client_secret: The client secret of the application.
redirect_uri: Instructs OIDC provider where to redirect after authentication. This should be your Firezone
EXTERNAL_URL + /auth/oidc/<provider_key>/callback/(e.g.
response_type: Set to
scope: OIDC scopes to obtain from your OIDC provider. At a minimum, Firezone requires the
label: The button label text displayed on the Firezone portal login page.
Firezone supports Proof Key for Code Exchange (PKCE) for increased login security. We recommend you enable PKCE in your IdP's settings whenever available. Read more about PKCE here.
OIDC logout URI
The OpenID Connect standard defines a mechanism for a Relying Party (RP) to request that an OpenID Provider log out the End-User.
Unfortunately, not all IdPs support this (e.g. Google, Auth0). For the providers
that do support this mechanism, Firezone automatically detects the
found in the provider's discovery document and uses that to log out the End-User.