You're viewing documentation for the legacy version of Firezone, now End-of-Life. View the latest docs here.

Enable SSO with OneLogin (SAML 2.0)

This guide assumes you have completed the prerequisite steps (e.g. generate self-signed X.509 certificates) outlined here.

Firezone supports Single Sign-On (SSO) using OneLogin through the generic SAML 2.0 connector. This guide will walk you through how to configure the integration.

Step 1: Create a SAML connector

In the OneLogin admin portal, add an app under the application tab. Select SAML Custom Connector (Advanced) and provide the appropriate configuration settings under the under the configuration tab.

The following fields should be filled out on this page:

Audience (EntityID)This should be the same as your Firezone SAML_ENTITY_ID, defaults to
RecipientThis is your Firezone EXTERNAL_URL/auth/saml/sp/consume/:config_id (e.g.,
ACS URL ValidatorThis field is regex to ensure OneLogin posts the response to the correct URL. For the sample URL below, we can use ^https:\/\/firezone\.company\.com\/auth\/saml\/sp\/consume\/onelogin
ACS URLThis is your Firezone EXTERNAL_URL/auth/saml/sp/consume/:config_id (e.g.,
Login URLThis is your Firezone EXTERNAL_URL/auth/saml/auth/signin/:config_id (e.g.,
SAML initiatorService Provider
SAML signature elementBoth
Encrypt AssertionChecked.

OneLogin's docs provide a good overview of each field's purpose.

onelogin configs

Once complete, save the changes and download the SAML metadata document found unde the More Actions dropdown. You'll need to copy-paste the contents of this document into the Firezone portal in the next step.

Step 2: Add SAML identity provider to Firezone

In the Firezone portal, add a SAML identity provider under the Security tab by filling out the following information:

Config IDoneloginUsed to construct endpoints required in the SAML authentication flow (e.g., receiving assertions, login requests).
LabelOneLoginAppears on the sign in button for authentication.
Metadatasee notePaste the contents of the SAML metadata document you downloaded in the previous step from OneLogin.
Sign assertionsChecked.
Sign metadataChecked.
Require signed assertionsChecked.
Require signed envelopesChecked.
Auto create usersDefault falseEnable this setting to automatically create users when signing in with this connector for the first time. Disable to manually create users.
onelogin saml

After saving the SAML config, you should see a Sign in with OneLogin button on your Firezone portal sign-in page.