SSO with OpenID Connect

STARTERTEAMENTERPRISE

Firezone supports authenticating users with a universal OIDC connector that works with any authentication service offering a standard OIDC authentication mechanism. Use this connector to enable authenticating users and admins to Firezone for any OIDC-capable identity provider that supports the authorization_code grant.

This connector works great for popular hosted providers like Google Workspace, Microsoft Entra ID, and Okta and also for self-hosted ones like Keycloak and Ory.

Directory sync is not supported with the universal OIDC connector. See the Google Workspace, Microsoft Entra ID, or Okta connectors for automatic directory sync. You'll need to manually create and manage users and groups for use with the universal OIDC connector.

For Firezone-specific instructions for a given provider, select your provider in the list below:

Fo others, consult your provider's documentation for setting up an OpenID Connect client. Here's a list of popular providers with links to their OIDC documentation for convenience:

Setting up the universal OIDC connector

To set up the universal OIDC connector, go to Settings -> Identity Providers -> Add Identity Provider and select OpenID Connect as the identity provider.

In general, you'll need three pieces of information to set up the connector:

  • Scopes: These control what information Firezone can access from your identity provider. At a minimum, you'll need to provide the openid, profile, and email scopes. These are configured in your identity provider's OAuth app settings.
  • Redirect URIs: These are unique to each provider in your Firezone account and are used to complete the authentication process. These are configured in your identity provider's OAuth app settings.
  • Client ID and secret: These are used to authenticate Firezone with your identity provider. These are configured in Firezone.
  • Discovery document URI: This is the URL to your identity provider's OIDC discovery document. This is used to automatically configure the connector with your identity provider's settings and is configured in Firezone.

Scopes

Firezone requires the following scopes to be added on the connector at a minimum:

  • openid: Required by all OpenID Connect integrations and used to identity this user in Firezone
  • profile: Required for providing the user's name
  • email: Required for authentication

Redirect URIs

When setting up the connector, you'll need to provide two redirect URIs in the connector's allowlist. These are shown in the setup form and are unique to each provider in your Firezone account. They allow Firezone to receive authentication tokens from your identity provider to complete the authentication process.

Client ID and secret

You'll also need to provide the client ID and secret from your identity provider when setting up the connector. These are used to authenticate Firezone with your identity provider.

Discovery document URI

The discovery document URI is the URL to your identity provider's OIDC discovery document. This document contains all the information needed to configure the connector with your identity provider's settings. You can usually find this URL in your identity provider's OAuth app settings or in their OIDC documentation.

It typically looks something like this (Okta example given):

https://your-tenant.okta.com/.well-known/openid-configuration

PKCE

If the option is available, be sure to enable PKCE for the connector. This is a security feature that helps prevent certain types of attacks and is recommended for added security.

For more detailed guides specific to each provider, see the Firezone legacy documentation. Firezone 1.0 uses the same OIDC connector under the hood as our legacy version, so the steps should similar.


Need additional help?

Try asking on one of our community-powered support channels:

Or try searching the docs:
Last updated: May 20, 2024