Identity Provider synchronization

Welcome to our comprehensive guide on configuring Identity Provider (IdP) for users and groups synchronization. This document provides step-by-step instructions and best practices for setting up and managing your synchronization processes effectively.

This feature is only available in the cloud version of NetBird.

Google WorkSpace

Before you start creating and configuring an Google Workspace application, ensure that you have the following:

User account with admin permissions: You must have an Google Workspace user account with the admin permissions to create and manage Google Workspace applications. If you don't have the required permissions, ask your workspace administrator to grant them to you.
Create new NetBird project in Google cloud console https://console.cloud.google.com.
Enable Admin SDK API for Netbird project at https://console.cloud.google.com/apis/library/admin.googleapis.com.

Step 1: Create a service account

Navigate to API Credentials page
Click CREATE CREDENTIALS at the top and select Service account
Fill in the form with the following values and click CREATE
- Service account name: NetBird
- Service account ID: netbird
Click DONE

service-account-create

Step 2: Create service account keys

Navigate to API Credentials page
Under Service Accounts click the NetBird to edit the service account

edit-service-account

Take note of service account email address, you will use it in next steps
Click the Keys tab
Click the Add key drop-down menu, then select Create new key
Select JSON as the Key type and click Create

When you create a service account key by using the Google Cloud console, most browsers immediately download the new key and save it in a download folder on your computer. Read how to manage and secure your service keys here

Step 3: Grant a user management admin role to a service account

Navigate to Admin Console page
Select Account on the left menu and then click Admin Roles
Click Create new role
Fill in the form with the following values and click CREATE
- name: User and Group Management ReadOnly
- description: User and Group Management ReadOnly
Click CONTINUE

new-admin-role

Scroll down to Admin API privileges and add the following privileges
- Users: Read
- Groups: Read

privileges-review

Verify preview of assigned Admin API privileges to ensure that everything is properly configured, and then click CREATE ROLE
Click Assign service accounts, add service account email address and then click ADD

assign-service-account

Click ASSIGN ROLE to assign service account to User and Group Management ReadOnly admin role

service-account-privileges

Navigate to Account Settings page and take note of Customer ID

Azure AD

Before you start creating and configuring an Azure AD application, ensure that you have the following:

User account with admin permissions: You must have an Azure AD user account with the appropriate permissions to create and manage Azure AD applications. If you don't have the required permissions, ask your Azure AD administrator to grant them to you.

Step 1. Create and configure Azure AD application

Navigate to Azure Active Directory
Click App Registrations in the left menu then click on the + New registration button to create a new application.
Fill in the form with the following values and click Register
- Name: NetBird

azure-new-application

Step 2. Add API permissions

Click API permissions on the left menu
Click Add a permission
Click Microsoft Graph and then click Application permissions tab
In Select permissions select User.Read.All and Group.Read.All and click Add permissions

azure-openid-permissions

Click Grant admin consent for Default Directory and click Yes

azure-grant-admin-consent

Step 3. Generate client secret

Click Certificates & secrets on left menu
Click New client secret
Fill in the form with the following values and click Add
Description: NetBird
Copy Value and save it as it can be viewed only once after creation.

azure-client-secret

Navigate to Owner applications.
Select NetBird application in overview page, take note of Application (client) ID and Directory (tenant) ID.

Okta

If your organization relies on Okta for managing employee access, automating access to NetBird via Okta's Provisioning feature can streamline your operations. This integration leverages SCIM (System for Cross-domain Identity Management) to ensure smooth synchronization of users and groups. For comprehensive insights into Okta's SCIM capabilities, please consult this article.

Prerequisites

Begin by installing the NetBird application from the Okta Integration Network
Following installation, reach out to support to activate Okta SSO for your support.

Supported Features

OIDC Features

SP-initiated SSO (Single Sign-On): Users must start authentication from NetBird's login page by entering their Okta email and clicking Continue.

SCIM Features

Create Users: Users added through Okta will automatically be created in NetBird.
Update User Attributes: Any changes to user attributes in Okta will be synchronized with NetBird.
Deactivate Users: Deactivating a user in Okta will also deactivate them in NetBird.
Group Push: Groups created in Okta will be synchronized to NetBird.

Configuration Steps

Step 1: Configure SSO in Okta

Access the Okta dashboard and navigate to Applications > Applications, selecting the previously installed NetBird application.
Go to Sign On > Settings and select Edit.
In the Credentials Details section, change the Application username format to Email and select Save.

Okta SSO Configuration

Step 2: Enable Okta SCIM in NetBird

Log into NetBird.
Proceed to Integrations > Identity Provider and select Connect Okta.

NetBird Identity Provider List

Follow the displayed instructions to link your Okta account. Ensure to note the Authorization(Bearer) token generated for use in the subsequent step.

Okta SCIM Credentials

Step 3: Enable Provisioning in Okta

From the Okta dashboard, navigate to Applications > Applications and select the NetBird application.
Under the Provisioning tab, choose Integration, then select Configure API Integration

Okta Provisioning Configuration

Opt to Enable API integration and insert previously noted Authorization(Bearer) token into the API Token field.

Enabling Okta Provisioning

Click Test API Credentials to verify the SCIM connection, then select Save.
Navigate to Provisioning > Settings > To App, click Edit, enable Create Users, Update User Attributes, and Deactivate Users, then select Save.

Okta to App Configuration

Step 4: Sync Users to NetBird

Access the Assignments tab, click Assign, then Assign to Groups.
Choose the groups for provisioning, select Assign and then Save and Go Back.
Click Done to conclude the group assignment process.

high-level-dia

Step 5. Sync groups to NetBird

Access the Push Groups tab

high-level-dia

Select the Push Groups and then Find groups by name
Search groups to push and then click Save
The selected groups will then be synced to NetBird.

SCIM provisioning will manage only resources that are created through Okta. Any resources created directly in NetBird will not be managed by SCIM.

Synced groups will only be available for membership and will not change the role of user in NetBird.

Peers

Access Control

Network Routes

DNS

Team

Activity

Settings

Integrations

Public API