ZTNA — Connecting a Third-Party Identity Provider (Google, Entra, Auth0)

Use Zitadel as an identity broker so ZTNA users can sign in with Google, Microsoft, GitHub, or any other existing IdP instead of a Zitadel-local account.

Configuration Updated August 21, 2025

What this gets you

Connecting an external identity provider in Zitadel lets users click Sign in with Google, Sign in with Microsoft, or Sign in with GitHub on the Zitadel login screen and authenticate against the account they already have. Zitadel acts as the identity broker between the external IdP and the downstream app (Netbird, in the case of Uplevel ZTNA).

Worked example: Google Workspace

The walkthrough below covers Google Workspace. Every other IdP follows close to the same pattern — pick the matching template in Zitadel and use the credentials issued by that provider. If your IdP isn’t covered by an out-of-the-box template, see the Zitadel IdP guides or contact Uplevel support.

Step 1 — Create OAuth credentials in Google Cloud

  1. Go to console.cloud.google.com and create a project (or reuse one).

  2. Navigate to APIs & Services › Credentials.

  3. Click Create Credentials › OAuth client ID.

  4. Choose Web application as the application type.

  5. Under Authorized redirect URIs, add:

    https://your.domain.uplevel-ztna.net/ui/login/login/externalidp/callback

  6. Save and copy the Client ID and Client Secret.

If your Google Workspace admin restricts OAuth apps, the new Client ID needs to be allow-listed in the Workspace Admin Console under Security › API Controls › App Access Control.

Step 2 — Add Google as an IdP in Zitadel

  1. Sign in to the Zitadel Console as an IAM admin.
  2. Open Default Settings (profile button, bottom-left of the sidebar).
  3. Scroll to Identity Providers and click New.
  4. Select the built-in Google template.
  5. Paste in the Client ID and Client Secret from Step 1. The template pre-fills the required scopes (openid, profile, email); leave these alone for most setups.
  6. Configure the behavioural toggles:
    • Automatic creation — auto-create a Zitadel user on first sign-in with Google.
    • Automatic update — keep the Zitadel user’s profile in sync with Google on each sign-in.
    • Account linking — let users link an external Google identity to an existing Zitadel account.
  7. Save.

Step 3 — Activate the provider

In the Identity Providers list, find the new Google provider and activate it.

Step 4 — Enable external IdP login

  1. Navigate to Default Settings › Login Behavior and Security (or go directly to https://your.domain.uplevel-ztna.net/ui/console/).
  2. Ensure Allow External IDP is enabled in the login policy.
  3. Save.

If you only want this for one organization rather than the entire Zitadel instance, configure the same setting on that org’s login policy instead of the default.

Step 5 — Test it

Open an incognito window and load the Zitadel login page. A Sign in with Google button should appear. Clicking it should take you through Google’s OAuth consent screen and back to Zitadel. If automatic creation is enabled, the user is provisioned on first sign-in.

Notes for other providers

  • Zitadel ships templates for Google, GitHub, GitLab, Apple, and Microsoft / Entra ID, among others. For anything not on the list, use the Generic OIDC or Generic SAML template.
  • To restrict sign-in to a specific Google Workspace domain, add the hd (hosted-domain) parameter to the scopes, or handle the domain check in a Zitadel Action — a server-side script that runs during the auth flow.
  • For per-organization IdP setup (one client uses Google Workspace, another uses GitHub), configure the IdP at the organization level, not the instance default. Zitadel supports domain discovery so users are routed to the correct IdP based on their email domain.

Related articles