Access control for GSuite/GCP OIDC authentication

I have Firezone setup with OIDC login via Google. How would I best go about limiting who within my Google Organization is able to login to Firezone?

For example, let’s say I have a QA environment that only QA people should be able to login to. How/where would I define which QA users (from GSuite) are allow to login to that Firezone instance? Right now anyone within the org could conceivably login to the QA instance, which is not optimal.

Unfortunately Google doesn’t make this easy for OIDC. You’d want to disable auto_create_users for that connector, and manually provision each user via the Firezone REST API or UI before they’re able to login.

Alternatively, you could use the SAML connector which does support restricting app access to groups of users. Here’s our guide if it’s helpful: Google Workspace | Firezone

1 Like

Thanks for the clarification. Looks like I’ll be experimenting with SAML.