Google | Docs Firezone Link Search Menu Expand Document

Google


Firezone supports Single Sign-On (SSO) using Google Workspace and Cloud Identity through the generic OIDC connector. This guide will walk you through how to obtain the following config settings required for the integration:

  1. discovery_document_uri: This URL returns a JSON with information to construct a request to the OpenID server.
  2. client_id: The client ID of the application.
  3. client_secret: The client secret of the application.
  4. redirect_uri: Instructs OIDC provider where to redirect after authentication. This should be your Firezone EXTERNAL_URL + /auth/oidc/<provider_key>/callback/ (e.g. https://firezone.example.com/auth/oidc/google/callback/).
  5. response_type: Set to code.
  6. scope: OIDC scopes to obtain from your OIDC provider. This should be set to openid email profile to provide Firezone with the user’s email in the returned claims.
  7. label: The button label text that shows up on your Firezone login screen.

Firezone Google SSO Login

Note: Previously, Firezone used pre-configured Oauth2 providers. We’ve moved to OIDC based authentication, which allows for any OpenID Connect provider (Google, Okta, Dex) to be used for authentication.

We strongly recommend transitioning your existing Google or Okta-based SSO configuration to the generic OIDC-based configuration format described here. We’ll be removing the Google-specific and Okta-specific SSO functionality in a future release.

To set up SSO, follow the steps below:

Obtain Config Settings

Step 1 - OAuth Config Screen

If this is the first time you are creating a new OAuth client ID, you will be asked to configure a consent screen.

IMPORTANT: Select Internal for user type. This ensures only accounts belonging to users in your Google Workspace Organization can create device configs. DO NOT select External unless you want to enable anyone with a valid Google Account to create device configs.

OAuth Consent Internal

On the App information screen:

  1. App name: Firezone
  2. App logo: Firezone logo (save link as).
  3. Application home page: the URL of your Firezone instance.
  4. Authorized domains: the top level domain of your Firezone instance.

OAuth Consent App Info

On the next step add the following scopes:

OAuth Consent Scopes

Step 2 - Create OAuth Client IDs

This section is based off Google’s own documentation on setting up OAuth 2.0.

Visit the Google Cloud Console Credentials page page, click + Create Credentials and select OAuth client ID.

Create OAuth Client ID

On the OAuth client ID creation screen:

  1. Set Application Type to Web application
  2. Add your Firezone EXTERNAL_URL + /auth/oidc/google/callback/ (e.g. https://firezone.example.com/auth/oidc/google/callback/) as an entry to Authorized redirect URIs.

Create OAuth client ID

After creating the OAuth client ID, you will be given a Client ID and Client Secret. These will be used together with the redirect URI in the next step.

Copy Client ID and Secret

Integrate With Firezone

Edit /etc/firezone/firezone.rb to include the options below.

# Using Google as the SSO identity provider
default['firezone']['authentication']['oidc'] = {
  google: {
    discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
    client_id: "<CLIENT_ID>",
    client_secret: "<CLIENT_SECRET>",
    redirect_uri: "https://firezone.example.com/auth/oidc/google/callback",
    response_type: "code",
    scope: "openid email profile",
    label: "Google"
  }
}

Run firezone-ctl reconfigureand firezone-ctl restart to update the application. You should now see a Sign in with Google button at the root Firezone URL.