Skip to main content

Single Sign-On (SSO) with Firebase Auth and Your Organisation IdP

The Velocity app uses Firebase Authentication (and optionally Identity Platform) and can federate with your organisation’s identity provider (IdP) so users sign in with company SSO (SAML or OpenID Connect).

Google SSO (native)

To enable Sign in with Google:

  1. In Firebase ConsoleAuthenticationSign-in method, enable the Google provider.
  2. Ensure NEXT_PUBLIC_GOOGLE_SSO_ENABLED is not set to "false" (it defaults to enabled). Optionally restrict to your domain (e.g. @gamuda.com.my) in the Google provider settings.

The login page will show a "Sign in with Google" button; first-time users get a Firestore user document with default role (VIEWER).

Organisation SSO (SAML/OIDC) — Overview

  • Firebase / GCP: You configure a SAML or OpenID Connect (OIDC) provider in the Firebase Console. Firebase acts as the identity broker.
  • Your IdP: Your organisation’s IdP (e.g. Azure AD, Okta, Keycloak, Google Workspace) is configured to trust Firebase as a service provider (SP) or OIDC relying party.
  • App: The app uses signInWithRedirect and getRedirectResult with the provider ID you set in NEXT_PUBLIC_SSO_PROVIDER_ID.

Prerequisites

  1. Firebase project
    Use the same project as the app (e.g. gtc-tools-dev).

  2. Identity Platform (for SAML/OIDC)
    SAML and OIDC are only available when the project uses Firebase Authentication with Identity Platform (Blaze plan).

    • In Firebase Console → Project settings → Integrations → Identity Platform: enable if not already.

  3. IdP details
    Get from your IdP team:

    • SAML: Entity ID (IdP), SSO URL, public key certificate (X.509), and your app’s Entity ID (SP).
    • OIDC: Client ID, client secret (if using auth code flow), and Issuer URL (e.g. https://auth.yourcompany.com with /.well-known/openid-configuration).

1. Configure the provider in Firebase Console

Option A: SAML

  1. Go to Authentication → Sign-in method.
  2. Click Add new providerSAML.
  3. Give a Provider name (e.g. gamuda-idp). Note the Provider ID (e.g. saml.gamuda-idp) — you’ll use it in the app.
  4. Enter:
    • IdP entity ID
    • SSO URL
    • IdP public key certificate (X.509)
    • App (SP) entity ID — the identifier your IdP uses for this app
  5. Save.

Option B: OpenID Connect (OIDC)

  1. Same → Add new providerOpenID Connect.
  2. Choose Authorization code flow (recommended).
  3. Give a Provider name (e.g. gamuda-idp). Note the Provider ID (e.g. oidc.gamuda-idp).
  4. Enter Client ID, Client secret, and Issuer (URL that serves /.well-known/openid-configuration).
  5. Save.

Authorised domains

In Authentication → Settings, add your app’s domains (e.g. localhost for dev, your production domain) to Authorised domains so redirects work.

2. Configure your organisation’s IdP

Your IdP must trust Firebase as a service provider (SAML) or relying party (OIDC).

  • SAML: Register Firebase as an SP. You’ll need Firebase’s SP Entity ID and ACS (Assertion Consumer Service) URL from the Firebase SAML setup (or from Google Cloud Identity Platform / IAP docs for your project).
  • OIDC: Register the app as an OIDC client. Redirect URI will be of the form
    https://<authDomain>/__/auth/handler
    (e.g. https://gtc-tools-dev.firebaseapp.com/__/auth/handler). Use the same for dev/prod if using the same Firebase project.

Your security/IdP team can use Google’s docs for SAML and OIDC with Identity Platform.

3. Configure the app

Set the provider ID in the app so the login page shows “Sign in with company SSO” and uses the correct provider.

Environment variable (e.g. in .env.local or your hosting env):

# Provider ID from Firebase Console (SAML or OIDC)
NEXT_PUBLIC_SSO_PROVIDER_ID=saml.gamuda-idp
# or
NEXT_PUBLIC_SSO_PROVIDER_ID=oidc.gamuda-idp
  • Use the exact Provider ID shown in Firebase (e.g. saml.gamuda-idp or oidc.gamuda-idp).
  • If NEXT_PUBLIC_SSO_PROVIDER_ID is empty, the SSO button is hidden and only email/password (and any other enabled methods) are shown.

4. Flow in the app

  1. User opens the app and clicks Sign in with company SSO.
  2. They are redirected to your IdP (SAML or OIDC).
  3. After sign-in at the IdP, they are redirected back to the app.
  4. The app calls getRedirectResult(), creates or updates the Firestore user document, and redirects to the dashboard.

User records (e.g. role, team) are created/updated in Firestore on first SSO sign-in; you can manage access as for other sign-in methods.

5. Optional: Google as IdP (Google Workspace)

If your organisation uses Google Workspace and you only need “Sign in with Google” restricted to your domain, you can:

  • Use the existing Google provider in Firebase and restrict to your domain (e.g. @gamuda.com.my) in Firebase Console or via Auth settings.

That does not require SAML/OIDC. Use SAML/OIDC when your IdP is non-Google or you need a single “company SSO” button that goes to your corporate IdP.

Summary

StepWhereWhat
1Firebase ConsoleEnable Identity Platform; add SAML or OIDC provider; note Provider ID.
2Your IdPRegister Firebase/app as SP (SAML) or OIDC client; set redirect URI.
3AppSet NEXT_PUBLIC_SSO_PROVIDER_ID to the Firebase Provider ID.
4UsersUse “Sign in with company SSO” on the login page.

For more detail, see Firebase SAML and Firebase OpenID Connect.