Skip to main content
NetBird supports integration with multiple identity providers (IdPs) to enable Single Sign-On (SSO) authentication for your network. SSO allows users to authenticate once and access all connected resources securely.

Supported Identity Providers

NetBird integrates with the following identity providers:

Auth0

Enterprise-grade authentication platform

Azure AD

Microsoft Azure Active Directory

Okta

Enterprise identity management

Keycloak

Open-source identity and access management

Google Workspace

Google’s enterprise identity platform

JumpCloud

Cloud directory platform

Zitadel

Cloud-native identity management

Authentik

Open-source identity provider

Dex

OpenID Connect identity provider

Configuration Overview

Each identity provider requires specific configuration parameters. The general setup process involves:
1

Register NetBird Application

Create an application in your IdP’s admin console and obtain client credentials.
2

Configure Management Server

Add the IdP configuration to your NetBird management server settings.
3

Set Callback URLs

Configure OAuth callback URLs in your IdP to point to your NetBird instance.
4

Test Authentication

Verify users can successfully authenticate through the SSO flow.

Auth0 Configuration

Auth0 integration requires the following configuration:

Required Parameters

ParameterDescription
AudienceAuth0 API audience identifier
AuthIssuerAuth0 domain (e.g., https://your-tenant.auth0.com)
ClientIDApplication client ID from Auth0
ClientSecretApplication client secret from Auth0
GrantTypeOAuth2 grant type (typically client_credentials)

Example Configuration

{
  "ManagerType": "auth0",
  "Auth0ClientCredentials": {
    "Audience": "https://api.netbird.io",
    "AuthIssuer": "https://your-tenant.auth0.com",
    "ClientID": "your-client-id",
    "ClientSecret": "your-client-secret",
    "GrantType": "client_credentials"
  }
}
Auth0 supports user creation, deletion, and app metadata updates through the Management API.

Azure AD Configuration

Microsoft Azure Active Directory integration parameters:

Required Parameters

ParameterDescription
ClientIDAzure AD application client ID
ClientSecretApplication client secret
TenantIDAzure AD tenant ID
TokenEndpointOAuth token endpoint URL
GraphAPIEndpointMicrosoft Graph API endpoint
ObjectIDAzure AD object ID

Example Configuration

{
  "ManagerType": "azure",
  "AzureClientCredentials": {
    "ClientID": "your-client-id",
    "ClientSecret": "your-client-secret",
    "TokenEndpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
    "GraphAPIEndpoint": "https://graph.microsoft.com/v1.0",
    "ObjectID": "your-object-id"
  }
}

Okta Configuration

Okta integration using API tokens:

Required Parameters

ParameterDescription
IssuerOkta domain (e.g., https://your-org.okta.com)
ApiTokenOkta API token for management operations
TokenEndpointOAuth token endpoint
GrantTypeOAuth2 grant type

Example Configuration

{
  "ManagerType": "okta",
  "ClientConfig": {
    "Issuer": "https://your-org.okta.com",
    "TokenEndpoint": "https://your-org.okta.com/oauth2/v1/token",
    "GrantType": "client_credentials"
  },
  "ExtraConfig": {
    "ApiToken": "your-api-token"
  }
}

Keycloak Configuration

Keycloak open-source IdP integration:

Required Parameters

ParameterDescription
ClientIDKeycloak client ID
ClientSecretClient secret
TokenEndpointToken endpoint URL
AdminEndpointKeycloak admin API endpoint
GrantTypeOAuth2 grant type

Example Configuration

{
  "ManagerType": "keycloak",
  "KeycloakClientCredentials": {
    "ClientID": "netbird",
    "ClientSecret": "your-client-secret",
    "TokenEndpoint": "https://keycloak.example.com/realms/master/protocol/openid-connect/token",
    "AdminEndpoint": "https://keycloak.example.com/admin/realms/master",
    "GrantType": "client_credentials"
  }
}

Google Workspace Configuration

Google Workspace integration using service accounts:

Required Parameters

ParameterDescription
ServiceAccountKeyBase64-encoded service account key JSON
CustomerIDGoogle Workspace customer ID

Setup Steps

1

Create Service Account

Create a service account in Google Cloud Console with Directory API access.
2

Enable Domain-Wide Delegation

Enable domain-wide delegation for the service account.
3

Download Key

Download the service account key JSON and base64-encode it.
4

Configure NetBird

Add the configuration to your management server.

Example Configuration

{
  "ManagerType": "google",
  "ExtraConfig": {
    "ServiceAccountKey": "base64-encoded-key-json",
    "CustomerId": "C01234567"
  }
}

Additional IdP Options

JumpCloud

Cloud directory platform requiring only an API token: 
{
  "ManagerType": "jumpcloud",
  "ExtraConfig": {
    "ApiToken": "your-api-token"
  }
}

Zitadel

Cloud-native identity management: 
{
  "ManagerType": "zitadel",
  "ZitadelClientCredentials": {
    "ClientID": "your-client-id",
    "ClientSecret": "your-client-secret",
    "TokenEndpoint": "https://zitadel.example.com/oauth/v2/token",
    "ManagementEndpoint": "https://zitadel.example.com/management/v1"
  }
}

Authentik

Open-source identity provider with username/password authentication: 
{
  "ManagerType": "authentik",
  "ClientConfig": {
    "Issuer": "https://authentik.example.com",
    "ClientID": "netbird",
    "TokenEndpoint": "https://authentik.example.com/application/o/token/"
  },
  "ExtraConfig": {
    "Username": "admin",
    "Password": "your-password"
  }
}

Dex

OpenID Connect provider with gRPC API for user management: 
{
  "ManagerType": "dex",
  "ClientConfig": {
    "Issuer": "https://dex.example.com/dex"
  },
  "ExtraConfig": {
    "GRPCAddr": "dex.example.com:5557"
  }
}
Dex uses a gRPC API for managing users in the password database and supports OpenID Connect for authentication.

User Management

Depending on your IdP, NetBird supports various user management operations:
OperationAuth0Azure ADOktaKeycloakGoogleJumpCloudZitadelAuthentikDex
Get user by email
Get user by ID
Create user
Delete user
Update metadata
Send invite

Disabling Local Authentication

When using an external IdP, you can disable local email/password authentication: 
{
  "LocalAuthDisabled": true
}
Ensure at least one external identity provider is configured before disabling local authentication to prevent account lockout.

Troubleshooting

Common Issues

  • Verify client credentials are correct
  • Check that the token endpoint URL is accessible
  • Ensure grant type matches your IdP configuration
  • Validate that API tokens haven’t expired
  • Confirm the management API has proper permissions
  • Check network connectivity to IdP endpoints
  • Review management server logs for detailed error messages
  • Verify user query filters and scopes
  • Ensure redirect URIs are registered in your IdP
  • Check that the callback URL matches exactly (including protocol and port)
  • Verify HTTPS is used for production environments

Security Best Practices

1

Use Strong Credentials

Generate strong client secrets and rotate them regularly.
2

Restrict Permissions

Grant only necessary permissions to NetBird service accounts.
3

Enable HTTPS

Always use HTTPS for production IdP endpoints and callbacks.
4

Monitor Access

Enable audit logging in your IdP to track authentication events.
5

Implement MFA

Enable multi-factor authentication in your IdP for enhanced security.

Next Steps

MFA Configuration

Configure multi-factor authentication

Posture Checks

Set up device posture checks

Build docs developers (and LLMs) love

Get started for freeTalk to us