Enable SSO with Google Workspace (SAML 2.0)

Firezone supports Single Sign-On (SSO) using Google through the generic SAML 2.0 connector. This guide will walk you through how to configure the integration.

Step 1: Create a SAML connector

In the Google Workspace admin portal, create a new SAML app under the Application > Web and mobile apps tab. Use the following config values during setup:

SettingValue
App nameFirezone
App iconsave link as
ACS URLThis is your Firezone EXTERNAL_URL/auth/saml/sp/consume/:config_id (e.g., https://firezone.company.com/auth/saml/sp/consume/google).
Entity IDThis should be the same as your Firezone SAML_ENTITY_ID, defaults to urn:firezone.dev:firezone-app.
Signed responseUnchecked.
Name ID formatUnspecified
Name IDBasic Information > Primary email
google saml

Once complete, save the changes and download the SAML metadata document. You'll need to copy-paste the contents of this document into the Firezone portal in the next step.

Step 2: Add SAML identity provider to Firezone

In the Firezone portal, add a SAML identity provider under the Security tab by filling out the following information:

SettingValueNotes
Config IDgoogleFirezone uses this value to construct endpoints required in the SAML authentication flow (e.g., receiving assertions, login requests).
LabelGoogleAppears on the sign in button for authentication.
Metadatasee notePaste the contents of the SAML metadata document you downloaded in the previous step from Google.
Sign assertionsChecked.
Sign metadataChecked.
Require signed assertionsChecked.
Require signed envelopesUnchecked.
Auto create usersDefault falseEnable this setting to automatically create users when signing in with this connector for the first time. Disable to manually create users.
firezone saml

After saving the SAML config, you should see a Sign in with Google button on your Firezone portal sign-in page.