Connecting an External Identity Provider in Zitadel

This lets users click "Sign in with Google", "Sign in with Microsoft", "Sign in with  Github", etc on your Zitadel login screen and authenticate with the client's already established account. Zitadel acts as the identity broker between the external IdP and the downstream app (Netbird). 

Setup for Google Workspace as an example

Step 1: Create OAuth Credentials in Google Cloud Console

1. Go to console.cloud.google.com and create a project (or use an existing one).
2. Navigate to APIs & Services > Credentials.
3. Click Create Credentials > OAuth client ID.
4. Select Web application as the application type.
5. Under Authorized redirect URIs, add: https://$your.domain.uplevel-ztna.net/ui/login/login/externalidp/callback
6. Save and copy the Client ID and Client Secret.

If your Google Workspace admin restricts OAuth apps, you may need to allowlist this Client ID in the Workspace Admin Console under Security > API Controls > App Access Control.

Step 2: Add Google as an IdP in Zitadel Console

1. Log into your Zitadel Console as an IAM admin.
2. Go to Default Settings (profile button, bottom left of the sidebar).
3. Scroll to Identity Providers and click New.
4. Zitadel offers a Google template. Select it.
5. Paste in the Client ID and Client Secret from Step 1.
6. The template pre-fills scopes (openid, profile, email). These are fine for most setups.
7. Configure these optional settings based on your preference:
   • Automatic creation: Enable this if you want Zitadel to auto-create a local user when someone logs in with Google for the first time.
   • Automatic update: Enable this if you want profile changes in Google (name, email, etc.) to sync back to the Zitadel user on login.
   • Account linking: If enabled, users can link their Google identity to an existing Zitadel account.
8. Save the provider.

Step 3: Activate the Provider

After saving, find the new Google provider in the Identity Providers list and activate it.

Step 4: Enable External IdP Login in the Login Policy

1. Navigate to Default Settings > Login Behavior and Security (or go directly to https://$your.domain.uplevel-ztna.net/ui/console/.
2. Ensure Allow External IDP is enabled in the login policy.
3. Save.

If you only want this for a specific organization rather than instance-wide, go to the org settings instead and override the login policy there.

Step 5: Test

Open an incognito window, navigate to your Zitadel login page, and you should see a "Sign in with Google" button. Clicking it should redirect to Google's OAuth consent screen, then back to Zitadel. If automatic creation is enabled, the user is provisioned on first login.

Notes

• This same process works for other providers. Zitadel has built-in templates for Google, GitHub, GitLab, Apple, Microsoft/EntraID, and others. For anything else, use the Generic OIDC or Generic SAML template. - KB article
• If you want to restrict login to a specific Google Workspace domain, you can add the hd (hosted domain) parameter to the scopes or handle it with Zitadel Actions (server-side scripts that run during the auth flow).
• For per-organization IdP configuration (e.g., one department uses client uses Google Workspace, another uses GitHub), configure the IdP at the organization level instead of the instance default. Zitadel supports domain discovery to route users to the correct IdP based on their email domain.