Skip to main content

Google Workspace


This guide assumes you have completed the prerequisite steps (e.g. generate self-signed X.509 certificates) outlined here.

Firezone supports Single Sign-On (SSO) using Google through the generic SAML 2.0 connector. This guide will walk you through how to configure the integration.

Create a SAML connector

In the Google Workspace admin portal, create a new SAML app under the Application > Web and mobile apps tab. Use the following config values during setup:

App nameFirezone
App iconsave link as
ACS URLThis is your Firezone EXTERNAL_URL/auth/saml/sp/consume/:config_id (e.g.,
Entity IDThis should be the same as your Firezone SAML_ENTITY_ID, defaults to
Signed responseUnchecked.
Name ID formatUnspecified
Name IDBasic Information > Primary email

Google SAML

Once complete, save the changes and download the SAML metadata document. You'll need to copy-paste the contents of this document into the Firezone portal in the next step.

Add SAML identity provider to Firezone

In the Firezone portal, add a SAML identity provider under the Security tab by filling out the following information:

Config IDgoogleFirezone uses this value to construct endpoints required in the SAML authentication flow (e.g., receiving assertions, login requests).
LabelGoogleAppears on the sign in button for authentication.
Metadatasee notePaste the contents of the SAML metadata document you downloaded in the previous step from Google.
Sign assertionsChecked.
Sign metadataChecked.
Require signed assertionsChecked.
Required signed envelopesUnchecked.

Firezone SAML

After saving the SAML config, you should see a Sign in with Google button on your Firezone portal sign-in page.