Integrate your identity provider using OIDC
Firezone supports Single Sign-On (SSO) via OpenID Connect (OIDC).
Supported identity providers
In general, most identity providers that offer OIDC support work with Firezone. Some providers that only implement the OIDC partially or use uncommon configurations may have issues, however. If your identity provider falls into this category, contact us about a custom integration.
The following OIDC providers are known to work well with Firezone:
| Provider | Support Status | Notes |
|---|---|---|
| Azure Active Directory | Fully tested and supported | Ensure the email claim is present in the token. |
| Okta | Fully tested and supported | |
| Onelogin | Fully tested and supported | |
| Keycloak | Fully tested and supported | |
| Auth0 | Fully tested and supported | Auth0 does not provide an end_session_uri in its OIDC discovery document. Signing out of Auth0 from Firezone is not supported. |
| Google Workspace | Fully tested and supported | Google does not provide an end_session_uri in its OIDC discovery document. Signing out of Google Workspace from Firezone is not supported. |
| Zitadel | Untested but known to work | |
| Authentik | Untested but known to work |
General setup guide
If you're using an OIDC provider not listed above, the following OIDC attributes are required for setting up an OIDC provider in Firezone:
discovery_document_uri: The OpenID Connect provider configuration URI which returns a JSON document used to construct subsequent requests to this OIDC provider. Some providers refer to this as the "well-known URL".client_id: The client ID of the application.client_secret: The client secret of the application.redirect_uri: Instructs OIDC provider where to redirect after authentication. This should be your FirezoneEXTERNAL_URL + /auth/oidc/<provider_key>/callback/(e.g.https://firezone.example.com/auth/oidc/google/callback/).response_type: Set tocode.scope: OIDC scopes to obtain from your OIDC provider. At a minimum, Firezone requires theopenidandemailscopes.label: The button label text displayed on the Firezone portal login page.
PKCE
Firezone supports Proof Key for Code Exchange (PKCE) for increased login security. We recommend you enable PKCE in your IdP's settings whenever available. Read more about PKCE here.
OIDC logout URI
The OpenID Connect standard defines a mechanism for a Relying Party (RP) to request that an OpenID Provider log out the End-User.
Unfortunately, not all IdPs support this (e.g. Google, Auth0). For the providers
that do support this mechanism, Firezone automatically detects the
end_session_uri found in the provider's discovery document and uses that to
log out the End-User.