mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
643330fcbe
- [x] Move all docs to be served under `/docs` prefix - [x] Merge blog articles and serve under `/blog` prefix - [x] Remove docs side bar for blog content - [x] Remake marketing site pages in markdown/react - [x] Serve marketing site under root path - [x] Update all old links and paths to use new prefixes
--- title: OpenID Connect sidebar_position: 10 description: Setup single sign-on with your identity provider. Integrate providers like Okta, Google, Azure, and JumpCloud using Firezone's OpenID Connect (OIDC) connector. --- # Integrate your identity provider using OIDC Firezone supports Single Sign-On (SSO) via OpenID Connect (OIDC). ## Supported identity providers In general, most identity providers that offer OIDC support work with Firezone. Some providers that only implement the OIDC partially or use uncommon configurations may have issues, however. If your identity provider falls into this category, [contact us ](/sales) about a custom integration. The following OIDC providers are known to work well with Firezone: | Provider | Support Status | Notes | | ------------------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | [Azure Active Directory](azuread) | **Fully tested and supported** | Ensure the [`email` claim](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims) is present in the token. | | [Okta](okta) | **Fully tested and supported** | | | [Onelogin](onelogin) | **Fully tested and supported** | | | [Keycloak](https://www.keycloak.org/) | **Fully tested and supported** | | | [Auth0](auth0) | **Fully tested and supported** | Auth0 does not provide an `end_session_uri` in its OIDC discovery document. Signing out of Auth0 from Firezone is not supported. | | [Google Workspace](google) | **Fully tested and supported** | Google does not provide an `end_session_uri` in its OIDC discovery document. Signing out of Google Workspace from Firezone is not supported. | | [Zitadel](zitadel) | Untested but known to work | | | [Authentik](https://goauthentik.io/) | Untested but known to work | | ## General setup guide If you're using an OIDC provider not listed above, the following OIDC attributes are required for setting up an OIDC provider in Firezone: 1. `discovery_document_uri`: The [OpenID Connect provider configuration URI](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) which returns a JSON document used to construct subsequent requests to this OIDC provider. Some providers refer to this as the "well-known URL". 1. `client_id`: The client ID of the application. 1. `client_secret`: The client secret of the application. 1. `redirect_uri`: Instructs OIDC provider where to redirect after authentication. This should be your Firezone `EXTERNAL_URL + /auth/oidc/<provider_key>/callback/` (e.g. `https://firezone.example.com/auth/oidc/google/callback/`). 1. `response_type`: Set to `code`. 1. `scope`: [OIDC scopes](https://openid.net/specs/openid-connect-basic-1_0.html#Scopes) to obtain from your OIDC provider. At a minimum, Firezone requires the `openid` and `email` scopes. 1. `label`: The button label text displayed on the Firezone portal login page. ### PKCE Firezone supports Proof Key for Code Exchange (PKCE) for increased login security. We recommend you enable PKCE in your IdP's settings whenever available. [Read more about PKCE here](https://oauth.net/2/pkce/). ### OIDC logout URI The OpenID Connect standard [defines a mechanism](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) for a Relying Party (RP) to request that an OpenID Provider log out the End-User. Unfortunately, not all IdPs support this (e.g. Google, Auth0). For the providers that do support this mechanism, Firezone automatically detects the `end_session_uri` found in the provider's discovery document and uses that to log out the End-User.