Authenticate to NetBird with Single Sign On (SSO)

NetBird works out of the box with popular Identity Providers (IdPs) such as Google Workspace, Microsoft Entra ID, and Okta, offering seamless Single Sign-On (SSO) for your users.

It also supports social logins including Google, GitHub, and Microsoft accounts.

For other OIDC (OpenID Connect)-compliant IdPs like Authentik, Keycloak, JumpCloud, and others, NetBird provides full support, though some additional configuration is required to complete the integration.

Google, Microsoft, and GitHub

If you're using Google Workspace, Microsoft Entra ID, or a supported social login, you can simply sign in with no extra setup—just click the appropriate button on the login page:

netbird-login

Okta

If you are using Okta as your Identity Provider, sign up with any email address and then follow the steps described in this guide

OIDC-compliant IdPs

For OIDC-compliant Identity Providers such as Authentik, Keycloak, and others, you’ll need to configure the IdP to integrate with NetBird. Below are the steps to set up different OIDC-compliant IdPs with NetBird.

Authentik

  1. You need to create a new Application and Provider.
    • Browse to the Applications Administration menu, click on Application, and then click on Create with Provider:

create-with-provider

  • Name the Application and select a suitable explicit user flow. In the example below, we used NetBird:

new-application

  • Click Next and select the OAuth2/OpenID Provider Type:

new-application

  • Click Next and select an explicit user authorization flow, then take note of the Client ID and Client Secret:

new-application

  • Add the following redirect URL and select a signing key:
    URL: https://login.netbird.io/login/callback

new-application

  • Click on Advanced protocol settings and ensure that the email, opened, and profile scopes are selected and that Based on the User’s Hash ID is selected for Subject mode:

new-application

  • Click Next on the following two screens and Submit to create the provider and application:

new-application

  • You should see an application listed as follow:

list-applications

  1. We need to copy the OpenID Configuration URL for the new provider. You can do that by navigating to Providers in the left menu and then selecting the newly created provider. There you should see a windows similar to the following:

list-providers

  • Copy the OpenID Configuration URL.
  1. Then, share the following information with the NetBird support team at support@netbird.io:
  • Client ID
  • Client Secret
  • OpenID Configuration URL
  • Email domains for your users

Keycloak

  1. You need to create a new client

    • Browse to the clients Administration menu and then click in Create client:

new-client

  1. Create a client with the type OpenID Connect and add any client ID and name for the client:

new-client

  1. Click Next and enable the following options for Capability config:

new-client

  1. Click Next and fill the following fields:

    Valid redirect URIs: https://login.netbird.io/login/callback
    Web origins: +

new-client

  1. Click Save.

  2. Next we need to retrieve the secret for the client, you can get that in the Credentials tab for the client:

new-client

  1. Then, share the following information with the NetBird support team at support@netbird.io:
  • Client ID
  • Keycloak URL
  • Realm
  • Client Secret
  • Email domains for your users