Enable SSO with Zitadel (OIDC)

Firezone supports Single Sign-On (SSO) using Zitadel through the generic OIDC connector. This guide will walk you through how to obtain the following config settings required for the integration:

  1. Config ID: The provider's config ID. (e.g. zitadel)
  2. Label: The button label text that shows up on your Firezone login screen. (e.g. Zitadel)
  3. Scope: OIDC scopes to obtain from your OIDC provider. This should be set to openid email profile offline_access to provide Firezone with the user's email in the returned claims.
  4. Response type: Set to code.
  5. Client ID: The client ID of the application.
  6. Client secret: The client secret of the application.
  7. Discovery Document URI: The OpenID Connect provider configuration URI which returns a JSON document used to construct subsequent requests to this OIDC provider.
firezone zitadel sso login

Requirements

More information about these steps can be found in Zitadel's documentation.

Create Zitadel Application

In the Instance Console, go to Projects and select the project you want, then click New.

zitadel new application

Give the application a name (e.g. "Firezone") and select WEB for the application type.

zitadel name application

Select CODE for the authentication method.

zitadel auth method

Specify the redirect URI and post logout URI.

  1. Redirect URIs: EXTERNAL_URL + /auth/oidc/<Config ID>/callback/ (e.g. https://vpn.example.com/auth/oidc/zitadel/callback/)
  2. Post Logout URIs: EXTERNAL_URL (e.g. https://vpn.example.com)
zitadel uri

Double-check the configuration, then click Create.

zitadel configuration overview

Copy the ClientId and ClientSecret as it will be used for the Firezone configuration.

zitadel client creds

In the application Configuration click Refresh Token and then on Save. The refresh token is optional for some features of Firezone.

zitadel configuration

In the application Token Settings select User roles inside ID Token and User Info inside ID Token. Save it with a click on Save.

zitadel token settings

Application Token Settings

Integrate With Firezone

Navigate to the /settings/security page in the admin portal, click "Add OpenID Connect Provider" and enter the details you obtained in the steps above.

Enable or disable the Auto create users option to automatically create an unprivileged user when signing in via this authentication mechanism.

And that's it! The configuration should be updated immediately. You should now see a Sign in with Zitadel button on the sign in page.

Step 3 (optional): Restrict access to specific users

Zitadel can limit which users have access to Firezone. To do this, go to the project where your created your application. In General you can find Check Authorization on Authentication which allows only users with at least one role to login to Firezone.

zitadel check authorization