Authenticate to NetBird with Single Sign On (SSO)
NetBird works out of the box with popular Identity Providers (IdPs) such as Google Workspace, Microsoft Entra ID, and Okta, offering seamless Single Sign-On (SSO) for your users.
It also supports social logins including Google, GitHub, and Microsoft accounts.
For other OIDC (OpenID Connect)-compliant IdPs like Authentik, Keycloak, JumpCloud, and others, NetBird provides full support, though some additional configuration is required to complete the integration.
This guide covers the setup for cloud-hosted NetBird. If you are using the self-hosted version, please refer to the self-hosted documentation.
Google, Microsoft, and GitHub
If you're using Google Workspace, Microsoft Entra ID, or a supported social login, you can simply sign in with no extra setup—just click the appropriate button on the login page:
Okta
If you are using Okta as your Identity Provider, sign up with any email address and then follow the steps described in this guide
OIDC-compliant IdPs
For OIDC-compliant Identity Providers such as Authentik, Keycloak, and others, you’ll need to configure the IdP to integrate with NetBird. Below are the steps to set up different OIDC-compliant IdPs with NetBird.
Support for OIDC-compliant IdPs is available on the Team plan and higher. The Free plan supports Google, Microsoft, and social logins.
Authentik
- You need to create a new Application and Provider.
- Browse to the Applications Administration menu, click on Application, and then click on Create with Provider:
- Name the Application and select a suitable explicit user flow. In the example below, we used NetBird:
- Click Next and select the OAuth2/OpenID Provider Type:
- Click Next and select an explicit user authorization flow, then take note of the Client ID and Client Secret:
- Add the following redirect URL and select a signing key:
URL:https://login.netbird.io/login/callback
- Click on Advanced protocol settings and ensure that the email, opened, and profile scopes are selected and that Based on the User’s Hash ID is selected for Subject mode:
- Click Next on the following two screens and Submit to create the provider and application:
- You should see an application listed as follow:
- We need to copy the OpenID Configuration URL for the new provider. You can do that by navigating to Providers in the left menu and then selecting the newly created provider. There you should see a windows similar to the following:
- Copy the OpenID Configuration URL.
- Then, share the following information with the NetBird support team at support@netbird.io:
- Client ID
- Client Secret
- OpenID Configuration URL
- Email domains for your users
We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like:
https://onetimesecret.com/en/
https://password.link/en
Keycloak
-
You need to create a new client
- Browse to the clients Administration menu and then click in Create client:
- Create a client with the type OpenID Connect and add any client ID and name for the client:
- Click Next and enable the following options for Capability config:
-
Click Next and fill the following fields:
Valid redirect URIs:
https://login.netbird.io/login/callback
Web origins:+
-
Click Save.
-
Next we need to retrieve the secret for the client, you can get that in the Credentials tab for the client:
- Then, share the following information with the NetBird support team at support@netbird.io:
- Client ID
- Keycloak URL
- Realm
- Client Secret
- Email domains for your users
We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like:
https://onetimesecret.com/en/
https://password.link/en