Skip to main content

SAML 2.0

Firezone supports Single Sign-On (SSO) via SAML 2.0.

Provider Support

In general, most identity providers that support SAML 2.0 should work with Firezone.

ProviderSupport StatusNotes
OktaTested and supported
Google WorkspaceTested and supportedUncheck Require signed envelopes
OneLoginTested and supported
JumpCloudTested and supportedUncheck Require signed envelopes

Occasionally, providers that don't implement the full SAML 2.0 standard or use uncommon configurations may be problematic. If this is the case, contact us about a custom integration.


Before using SAML 2.0 in Firezone, you'll first need to generate a set of private and public keys using the RSA or DSA algorithms along with an X.509 certificate that contains the public key. This can be generated with openssl using the following one-liner:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout saml.key -out saml.crt

Now, configure your Firezone portal to use these:

Set the SAML_KEY_PATH and SAML_CERT_PATH environment variables to the path containing your saml.key and saml.crt above. If using our example docker compose file, which includes a volume for mapping configuration, save these files to $HOME/.firezone/firezone on the Docker host and set the SAML_KEY_PATH=/var/firezone/saml.key and SAML_CERT_PATH=/var/firezone/saml.crt environment variables for the Firezone container.

General Instructions

Once you've configured Firezone with an X.509 certificate and corresponding private key as shown above, you'll need a few more things to set up a generic SAML integration.

Use these general instructions to configure a SAML connector for a provider not listed above.

IdP Metadata Document

You'll need to get the SAML Metadata XML document from your identity provider. In most cases this can be downloaded from your IdP's SAML App configuration dashboard.


Firezone constructs the ACS URL based on the Base URL and Configuration ID entered in the Firezone SAML configuration, defaulting to: EXTERNAL_URL/auth/saml/sp/consume/:config_id, e.g.

Entity ID

The Firezone Entity ID can be configured with the SAML_ENTITY_ID environment variable and defaults to if not set.

See the environment variable reference for more information.