Integrate your identity provider using OIDC

Firezone supports Single Sign-On (SSO) via OpenID Connect (OIDC).

Supported identity providers

In general, most identity providers that offer OIDC support work with Firezone. Some providers that only implement the OIDC partially or use uncommon configurations may have issues, however. If your identity provider falls into this category, contact us about a custom integration.

The following OIDC providers are known to work well with Firezone:

ProviderSupport StatusNotes
Azure Active DirectoryFully tested and supportedEnsure the email claim is present in the token.
OktaFully tested and supported
OneloginFully tested and supported
KeycloakFully tested and supported
Auth0Fully tested and supportedAuth0 does not provide an end_session_uri in its OIDC discovery document. Signing out of Auth0 from Firezone is not supported.
Google WorkspaceFully tested and supportedGoogle does not provide an end_session_uri in its OIDC discovery document. Signing out of Google Workspace from Firezone is not supported.
ZitadelUntested but known to work
AuthentikUntested but known to work

General setup guide

If you're using an OIDC provider not listed above, the following OIDC attributes are required for setting up an OIDC provider in Firezone:

  1. discovery_document_uri: The OpenID Connect provider configuration URI which returns a JSON document used to construct subsequent requests to this OIDC provider. Some providers refer to this as the "well-known URL".
  2. client_id: The client ID of the application.
  3. client_secret: The client secret of the application.
  4. redirect_uri: Instructs OIDC provider where to redirect after authentication. This should be your Firezone EXTERNAL_URL + /auth/oidc/<provider_key>/callback/ (e.g. https://firezone.example.com/auth/oidc/google/callback/).
  5. response_type: Set to code.
  6. scope: OIDC scopes to obtain from your OIDC provider. At a minimum, Firezone requires the openid and email scopes.
  7. label: The button label text displayed on the Firezone portal login page.

PKCE

Firezone supports Proof Key for Code Exchange (PKCE) for increased login security. We recommend you enable PKCE in your IdP's settings whenever available. Read more about PKCE here.

OIDC logout URI

The OpenID Connect standard defines a mechanism for a Relying Party (RP) to request that an OpenID Provider log out the End-User.

Unfortunately, not all IdPs support this (e.g. Google, Auth0). For the providers that do support this mechanism, Firezone automatically detects the end_session_uri found in the provider's discovery document and uses that to log out the End-User.