some file

Authenticate to NetBird with Single Sign On (SSO)

NetBird works out of the box with popular Identity Providers (IdPs) such as Google Workspace, Microsoft Entra ID, and Okta, offering seamless Single Sign-On (SSO) for your users.

It also supports social logins including Google, GitHub, and Microsoft accounts.

For other OIDC (OpenID Connect)-compliant IdPs like Authentik, Keycloak, JumpCloud, and others, NetBird provides full support, though some additional configuration is required to complete the integration.

This guide covers the setup for cloud-hosted NetBird. If you are using the self-hosted version, please refer to the self-hosted documentation.

Google, Microsoft, and GitHub

If you're using Google Workspace, Microsoft Entra ID, or a supported social login, you can simply sign in with no extra setup—just click the appropriate button on the login page:

netbird-login

Okta

If you are using Okta as your Identity Provider, sign up with any email address and then follow the steps described in this guide

OIDC-compliant IdPs

For OIDC-compliant Identity Providers such as Authentik, Keycloak, and others, you’ll need to configure the IdP to integrate with NetBird. Below are the steps to set up different OIDC-compliant IdPs with NetBird.

Support for OIDC-compliant IdPs is available on the Team plan and higher. The Free plan supports Google, Microsoft, and social logins.

Authentik

  1. You need to create a new Application and Provider.
    • Browse to the Applications Administration menu, click on Application, and then click on Create with Provider:

create-with-provider

  • Name the Application and select a suitable explicit user flow. In the example below, we used NetBird:

new-application

  • Click Next and select the OAuth2/OpenID Provider Type:

new-application

  • Click Next and select an explicit user authorization flow, then take note of the Client ID and Client Secret:

new-application

  • Add the following redirect URL and select a signing key:
    URL: https://login.netbird.io/login/callback

new-application

  • Click on Advanced protocol settings and ensure that the email, opened, and profile scopes are selected and that Based on the User’s Hash ID is selected for Subject mode:

new-application

  • Click Next on the following two screens and Submit to create the provider and application:

new-application

  • You should see an application listed as follow:

list-applications

  1. We need to copy the OpenID Configuration URL for the new provider. You can do that by navigating to Providers in the left menu and then selecting the newly created provider. There you should see a windows similar to the following:

list-providers

  • Copy the OpenID Configuration URL.
  1. Then, share the following information with the NetBird support team at support@netbird.io:
  • Client ID
  • Client Secret
  • OpenID Configuration URL
  • Email domains for your users

We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like:
https://onetimesecret.com/en/
https://password.link/en

Keycloak

  1. You need to create a new client

    • Browse to the clients Administration menu and then click in Create client:

new-client

  1. Create a client with the type OpenID Connect and add any client ID and name for the client:

new-client

  1. Click Next and enable the following options for Capability config:

new-client

  1. Click Next and fill the following fields:

    Valid redirect URIs: https://login.netbird.io/login/callback
    Web origins: +

new-client

  1. Click Save.

  2. Next we need to retrieve the secret for the client, you can get that in the Credentials tab for the client:

new-client

  1. Then, share the following information with the NetBird support team at support@netbird.io:
  • Client ID
  • Keycloak URL
  • Realm
  • Client Secret
  • Email domains for your users

We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like:
https://onetimesecret.com/en/
https://password.link/en

JumpCloud

  1. Access the JumpCloud and navigate to USER AUTHENTICATION > SSO Applications

  2. Click + Add New Application, select Custom Application and click Next

  3. Enable Manage Single Sign-On (SSO), select Configure SSO with OIDC and click Next

jumpcloud

  1. Add NetBird as Display Label and click Next. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.

  2. Review the application setting and click Configure Application to proceed

jumpcloud-idp

  1. On the New Application screen, go to the SSO tab and under Endpoint Configuration set the following values:

  1. Under Attribute Mapping enable Email and Profile scopes

  2. Go to the User Groups and select the list of groups to which you want to give access to the application and then click activate

  3. Record the Client ID and Client Secret that JumpCloud generates for your application.

  4. Share your Client ID, and Client Secret with our team. Please use a secure method for sharing this information.

We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: