Skip to main content


Firezone supports Single Sign-On (SSO) using OneLogin through the generic OIDC connector. This guide will walk you through how to obtain the following config settings required for the integration:

  1. discovery_document_uri: The OpenID Connect provider configuration URI which returns a JSON document used to construct subsequent requests to this OIDC provider.
  2. client_id: The client ID of the application.
  3. client_secret: The client secret of the application.
  4. redirect_uri: Instructs OIDC provider where to redirect after authentication. This should be your Firezone EXTERNAL_URL + /auth/oidc/<provider_key>/callback/ (e.g.
  5. response_type: Set to code.
  6. scope: OIDC scopes to obtain from your OIDC provider. This should be set to openid email profile to provide Firezone with the user's email in the returned claims.
  7. label: The button label text that shows up on your Firezone login screen.

Obtain Config Settings

Step 1 - Configure Custom Connector

Create a new OIDC connector by visiting Appliances > Custom Connectors.

  1. App name: Firezone
  2. Icon: Firezone logo or Firezone icon (save link as).
  3. Sign on method: select OpenID Connect
  4. Redirect URI: Add your Firezone <EXTERNAL_URL> + /auth/oidc/onelogin/callback/ (e.g.

Onelogin Configuration

Step 2 - Configure the OIDC Application

Next, click Add App to Connector to create an OIDC application. Visit the SSO tab, then change the token endpoint authentication method to POST.

You will find the values for the config settings required by Firezone on this page as well.

Onelogin Config Parameters

Integrate With Firezone

Edit /etc/firezone/firezone.rb to include the options below.

# Using Google as the SSO identity provider
default['firezone']['authentication']['oidc'] = {
onelogin: {
discovery_document_uri: "https://<ONELOGIN_URL>/oidc/2/.well-known/openid-configuration",
client_id: "<CLIENT_ID>",
client_secret: "<CLIENT_SECRET>",
redirect_uri: "",
response_type: "code",
scope: "openid email profile",
label: "OneLogin"

Run firezone-ctl reconfigure to update the application. You should now see a Sign in with OneLogin button at the root Firezone URL.