Identity Provider synchronization

Welcome to our comprehensive guide on configuring Identity Provider (IdP) for users and groups synchronization. This document provides step-by-step instructions and best practices for setting up and managing your synchronization processes effectively.

Google WorkSpace

Before you start creating and configuring an Google Workspace application, ensure that you have the following:

Step 1: Create a service account

  • Navigate to API Credentials page
  • Click CREATE CREDENTIALS at the top and select Service account
  • Fill in the form with the following values and click CREATE
    • Service account name: NetBird
    • Service account ID: netbird
  • Click DONE


Step 2: Create service account keys

  • Navigate to API Credentials page
  • Under Service Accounts click the NetBird to edit the service account


  • Take note of service account email address, you will use it in next steps
  • Click the Keys tab
  • Click the Add key drop-down menu, then select Create new key
  • Select JSON as the Key type and click Create

When you create a service account key by using the Google Cloud console, most browsers immediately download the new key and save it in a download folder on your computer. Read how to manage and secure your service keys here

Step 3: Grant a user management admin role to a service account

  • Navigate to Admin Console page
  • Select Account on the left menu and then click Admin Roles
  • Click Create new role
  • Fill in the form with the following values and click CREATE
    • name: User and Group Management ReadOnly
    • description: User and Group Management ReadOnly
  • Click CONTINUE


  • Scroll down to Admin API privileges and add the following privileges
    • Users: Read
    • Groups: Read


  • Verify preview of assigned Admin API privileges to ensure that everything is properly configured, and then click CREATE ROLE

  • Click Assign service accounts, add service account email address and then click ADD


  • Click ASSIGN ROLE to assign service account to User and Group Management ReadOnly admin role


Azure AD

Before you start creating and configuring an Azure AD application, ensure that you have the following:

  • User account with admin permissions: You must have an Azure AD user account with the appropriate permissions to create and manage Azure AD applications. If you don't have the required permissions, ask your Azure AD administrator to grant them to you.

Step 1. Create and configure Azure AD application

  • Navigate to Azure Active Directory
  • Click App Registrations in the left menu then click on the + New registration button to create a new application.
  • Fill in the form with the following values and click Register
    • Name: NetBird


Step 2. Add API permissions

  • Click API permissions on the left menu
  • Click Add a permission
  • Click Microsoft Graph and then click Application permissions tab
  • In Select permissions select User.Read.All and Group.Read.All and click Add permissions


  • Click Grant admin consent for Default Directory and click Yes


Step 3. Generate client secret

  • Click Certificates & secrets on left menu
  • Click New client secret
  • Fill in the form with the following values and click Add
  • Description: NetBird
  • Copy Value and save it as it can be viewed only once after creation.


  • Navigate to Owner applications.
  • Select NetBird application in overview page, take note of Application (client) ID and Directory (tenant) ID.


If your organization relies on Okta for managing employee access, automating access to NetBird via Okta's Provisioning feature can streamline your operations. This integration leverages SCIM (System for Cross-domain Identity Management) to ensure smooth synchronization of users and groups. For comprehensive insights into Okta's SCIM capabilities, please consult this article.


  • Begin by installing the NetBird application from the Okta Integration Network
  • Following installation, reach out to support to activate Okta SSO for your support.

Supported Features

OIDC Features
  • SP-initiated SSO (Single Sign-On): Users must start authentication from NetBird's login page by entering their Okta email and clicking Continue.
SCIM Features
  • Create Users: Users added through Okta will automatically be created in NetBird.
  • Update User Attributes: Any changes to user attributes in Okta will be synchronized with NetBird.
  • Deactivate Users: Deactivating a user in Okta will also deactivate them in NetBird.
  • Group Push: Groups created in Okta will be synchronized to NetBird.

Configuration Steps

Step 1: Configure SSO in Okta
  • Access the Okta dashboard and navigate to Applications > Applications, selecting the previously installed NetBird application.
  • Go to Sign On > Settings and select Edit.
  • In the Credentials Details section, change the Application username format to Email and select Save.

Okta SSO Configuration

Step 2: Enable Okta SCIM in NetBird

NetBird Identity Provider List

  • Follow the displayed instructions to link your Okta account. Ensure to note the Authorization(Bearer) token generated for use in the subsequent step.

Okta SCIM Credentials

Step 3: Enable Provisioning in Okta
  • From the Okta dashboard, navigate to Applications > Applications and select the NetBird application.
  • Under the Provisioning tab, choose Integration, then select Configure API Integration

Okta Provisioning Configuration

  • Opt to Enable API integration and insert previously noted Authorization(Bearer) token into the API Token field.

Enabling Okta Provisioning

  • Click Test API Credentials to verify the SCIM connection, then select Save.
  • Navigate to Provisioning > Settings > To App, click Edit, enable Create Users, Update User Attributes, and Deactivate Users, then select Save.

Okta to App Configuration

Step 4: Sync Users to NetBird
  • Access the Assignments tab, click Assign, then Assign to Groups.
  • Choose the groups for provisioning, select Assign and then Save and Go Back.
  • Click Done to conclude the group assignment process.


Step 5. Sync groups to NetBird

  • Access the Push Groups tab


  • Select the Push Groups and then Find groups by name
  • Search groups to push and then click Save
  • The selected groups will then be synced to NetBird.