Enable SSO with Google Workspace (OIDC)

Firezone supports Single Sign-On (SSO) using Google Workspace and Cloud Identity through the generic OIDC connector. This guide will walk you through how to obtain the following config settings required for the integration:

  1. Config ID: The provider's config ID. (e.g. google)
  2. Label: The button label text that shows up on your Firezone login screen. (e.g. Google)
  3. Scope: OIDC scopes to obtain from your OIDC provider. This should be set to openid email profile to provide Firezone with the user's email in the returned claims.
  4. Response type: Set to code.
  5. Client ID: The client ID of the application.
  6. Client secret: The client secret of the application.
  7. Discovery Document URI: The OpenID Connect provider configuration URI which returns a JSON document used to construct subsequent requests to this OIDC provider.
firezone google sso login

If this is the first time you are creating a new OAuth client ID, you will be asked to configure a consent screen.

IMPORTANT: Select Internal for user type. This ensures only accounts belonging to users in your Google Workspace Organization can create device configs. DO NOT select External unless you want to enable anyone with a valid Google Account to create device configs.

oauth consent internal

On the App information screen:

  1. App name: Firezone
  2. App logo: save link as.
  3. Application home page: the URL of your Firezone instance.
  4. Authorized domains: the top level domain of your Firezone instance.
oauth consent app info

On the next step add the following scopes:

oauth consent scopes

Step 2: Create OAuth client

This section is based off Google's own documentation on setting up OAuth 2.0.

Visit the Google Cloud Console Credentials page page, click + Create Credentials and select OAuth client ID.

create oauth client id

On the OAuth client ID creation screen:

  1. Set Application Type to Web application
  2. Add your Firezone EXTERNAL_URL + /auth/oidc/<Config ID>/callback/ (e.g. https://firezone.example.com/auth/oidc/google/callback/) as an entry to Authorized redirect URIs.
create oauth client id

After creating the OAuth client ID, you will be given a Client ID and Client Secret. These will be used together with the redirect URI in the next step.

Step 3: Integrate with Firezone

Navigate to the /settings/security page in the admin portal, click "Add OpenID Connect Provider" and enter the details you obtained in the steps above.

Enable or disable the Auto create users option to automatically create an unprivileged user when signing in via this authentication mechanism.

And that's it! The configuration should be updated immediately. You should now see a Sign in with Google button on the sign in page.