Authenticate Using SAML in web apps

If you've upgraded toFirebase Authentication with Identity Platform, you can authenticate your users with Firebaseusing the SAML identity provider of your choice. This makes it possible to useyour SAML-based SSO solution to sign users in to your Firebase app.

Firebase Authentication supports only the service-provider initiated SAML flow.

Before you begin

To sign in users using a SAML identity provider, you must first collect someinformation from the provider:

  • The provider's Entity ID: A URI that identifies the identity provider.
  • The provider's SAML SSO URL: The URL of the identity provider's sign-inpage.
  • The provider's public key certificate: The certificate used to validatetokens signed by the identity provider.
  • Your app's Entity ID: A URI that identifies your app, the "serviceprovider".

After you have the above information, enable SAML as a sign-in provider for yourFirebase project:

  1. Add Firebase to your JavaScript project.

  2. If you haven't upgraded toFirebase Authentication with Identity Platform, do so. SAML authentication is onlyavailable in upgraded projects.

  3. On theSign-in providerspage of theFirebase console, clickAdd new provider, and then clickSAML.

  4. Give a name to this provider. Note the provider ID that's generated:something likesaml.example-provider. You'll need this ID when you addsign-in code to your app.

  5. Specify your identity provider's entity ID, SSO URL, and public keycertificate. Also specify the entity ID of your app (the service provider).These values must exactly match the values your provider assigned to you.

  6. Save your changes.

  7. If you haven't already authorized your app's domain, add it to the allowlist on theAuthentication > Settingspage of theFirebase console.

Handle the sign-in flow with the Firebase SDK

To handle the sign-in flow with the Firebase JavaScript SDK, follow thesesteps:

  1. Create an instance of anSAMLAuthProvider using the provider ID you got inthe Firebase console.

    Web

    import{SAMLAuthProvider}from"firebase/auth";constprovider=newSAMLAuthProvider('saml.example-provider');

    Web

    varprovider=newfirebase.auth.SAMLAuthProvider('saml.example-provider');``

  1. Authenticate with Firebase using the SAML provider object.

    You can either redirect the user to the provider's sign-in page or open thesign-in page in a pop-up browser window.

    Redirect flow

    Redirect to the provider sign-in page by callingsignInWithRedirect():

    Web

    import{getAuth,signInWithRedirect}from"firebase/auth";constauth=getAuth();signInWithRedirect(auth,provider);

    Web

    firebase.auth().signInWithRedirect(provider);

    After the user completes sign-in and returns to your app, you can obtain thesign-in result by callinggetRedirectResult().

    Web

    import{getAuth,getRedirectResult,SAMLAuthProvider}from"firebase/auth";constauth=getAuth();getRedirectResult(auth).then((result)=>{// User is signed in.// Provider data available using getAdditionalUserInfo()}).catch((error)=>{// Handle error.});

    Web

    firebase.auth().getRedirectResult().then((result)=>{// User is signed in.// Provider data available in result.additionalUserInfo.profile,// or from the user's ID token obtained from result.user.getIdToken()// as an object in the firebase.sign_in_attributes custom claim.}).catch((error)=>{// Handle error.});

    Pop-up flow

    Web

    import{getAuth,signInWithPopup,OAuthProvider}from"firebase/auth";constauth=getAuth();signInWithPopup(auth,provider).then((result)=>{// User is signed in.// Provider data available in result.additionalUserInfo.profile,// or from the user's ID token obtained from result.user.getIdToken()// as an object in the firebase.sign_in_attributes custom claim.}).catch((error)=>{// Handle error.});

    Web

    firebase.auth().signInWithPopup(provider).then((result)=>{// User is signed in.// Provider data available in result.additionalUserInfo.profile,// or from the user's ID token obtained from result.user.getIdToken()// as an object in the firebase.sign_in_attributes custom claim.}).catch((error)=>{// Handle error.});

    The ID token andUserInfoobject contains the user's email address only if it is provided in theNameID attribute of the SAML assertion from the identity provider:

    <Subject><NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@email.com</NameID></Subject>

  2. While the above examples focus on sign-in flows, you can use the samepattern to link a SAML provider to an existing user usinglinkWithRedirect() andlinkWithPopup(), and re-authenticate a user withreauthenticateWithRedirect() andreauthenticateWithPopup(), which can beused to retrieve fresh credentials for sensitive operations that requirerecent login.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-10 UTC.