SSO with OpenID Connect
Firezone supports authenticating users with a universal OIDC connector that
works with any authentication service offering a standard
OIDC authentication mechanism. Use this
connector to enable authenticating users and admins to Firezone for any
OIDC-capable identity provider that supports the authorization_code
grant.
This connector works great for popular hosted providers like Google Workspace, Microsoft Entra ID, and Okta and also for self-hosted ones like Keycloak and Ory.
Directory sync is not supported with the universal OIDC connector. See the Google Workspace, Microsoft Entra ID, or Okta connectors for automatic directory sync. You'll need to manually create and manage users and groups for use with the universal OIDC connector.
For Firezone-specific instructions for a given provider, select your provider in the list below:
Fo others, consult your provider's documentation for setting up an OpenID Connect client. Here's a list of popular providers with links to their OIDC documentation for convenience:
Setting up the universal OIDC connector
To set up the universal OIDC connector, go to Settings
-> Identity Providers
-> Add Identity Provider
and select OpenID Connect
as the identity provider.
In general, you'll need three pieces of information to set up the connector:
- Scopes: These control what information Firezone can access from
your identity provider. At a minimum, you'll need to provide the
openid
,profile
, andemail
scopes. These are configured in your identity provider's OAuth app settings. - Redirect URIs: These are unique to each provider in your Firezone account and are used to complete the authentication process. These are configured in your identity provider's OAuth app settings.
- Client ID and secret: These are used to authenticate Firezone with your identity provider. These are configured in Firezone.
- Discovery document URI: This is the URL to your identity provider's OIDC discovery document. This is used to automatically configure the connector with your identity provider's settings and is configured in Firezone.
Scopes
Firezone requires the following scopes to be added on the connector at a minimum:
openid
: Required by all OpenID Connect integrations and used to identity this user in Firezoneprofile
: Required for providing the user's nameemail
: Required for authentication
Redirect URIs
When setting up the connector, you'll need to provide two redirect URIs in the connector's allowlist. These are shown in the setup form and are unique to each provider in your Firezone account. They allow Firezone to receive authentication tokens from your identity provider to complete the authentication process.
Client ID and secret
You'll also need to provide the client ID and secret from your identity provider when setting up the connector. These are used to authenticate Firezone with your identity provider.
Discovery document URI
The discovery document URI is the URL to your identity provider's OIDC discovery document. This document contains all the information needed to configure the connector with your identity provider's settings. You can usually find this URL in your identity provider's OAuth app settings or in their OIDC documentation.
It typically looks something like this (Okta example given):
https://your-tenant.okta.com/.well-known/openid-configuration
PKCE
If the option is available, be sure to enable PKCE for the connector. This is a security feature that helps prevent certain types of attacks and is recommended for added security.
For more detailed guides specific to each provider, see the Firezone legacy documentation. Firezone 1.0 uses the same OIDC connector under the hood as our legacy version, so the steps should similar.
Need additional help?
Try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Public Slack group: join discussions, meet other users, and meet the contributors