Stay organized with collections
Save and categorize content based on your preferences.
If you've upgraded to Firebase Authentication with Identity Platform, you can authenticate your users with Firebase
using the SAML identity provider of your choice. This makes it possible to use
your SAML-based SSO solution to sign users in to your Firebase app.
Firebase Authentication supports only the service-provider initiated SAML flow.
Before you begin
To sign in users using a SAML identity provider, you must first collect some
information from the provider:
The provider's Entity ID: A URI that identifies the identity provider.
The provider's SAML SSO URL: The URL of the identity provider's sign-in
page.
The provider's public key certificate: The certificate used to validate
tokens signed by the identity provider.
Your app's Entity ID: A URI that identifies your app, the "service
provider".
After you have the above information, enable SAML as a sign-in provider for your
Firebase project:
If you haven't upgraded to Firebase Authentication with Identity Platform, do so. SAML authentication is only
available in upgraded projects.
On the Sign-in providers
page of the Firebase console, click Add new provider, and then click
SAML.
Give a name to this provider. Note the provider ID that's generated:
something like saml.example-provider. You'll need this ID when you add
sign-in code to your app.
Specify your identity provider's entity ID, SSO URL, and public key
certificate. Also specify the entity ID of your app (the service provider).
These values must exactly match the values your provider assigned to you.
Save your changes.
If you haven't already authorized your app's domain, add it to the allow
list on the Authentication > Settings
page of the Firebase console.
Handle the sign-in flow with the Firebase SDK
To handle the sign-in flow with the Firebase JavaScript SDK, follow these
steps:
Create an instance of an SAMLAuthProvider using the provider ID you got in
the Firebase console.
After the user completes sign-in and returns to your app, you can obtain the
sign-in result by calling getRedirectResult().
Web
import{getAuth,getRedirectResult,SAMLAuthProvider}from"firebase/auth";constauth=getAuth();getRedirectResult(auth).then((result)=>{// User is signed in.// Provider data available using getAdditionalUserInfo()}).catch((error)=>{// Handle error.});
Web
firebase.auth().getRedirectResult().then((result)=>{// User is signed in.// Provider data available in result.additionalUserInfo.profile,// or from the user's ID token obtained from result.user.getIdToken()// as an object in the firebase.sign_in_attributes custom claim.}).catch((error)=>{// Handle error.});
Pop-up flow
Web
import{getAuth,signInWithPopup,OAuthProvider}from"firebase/auth";constauth=getAuth();signInWithPopup(auth,provider).then((result)=>{// User is signed in.// Provider data available in result.additionalUserInfo.profile,// or from the user's ID token obtained from result.user.getIdToken()// as an object in the firebase.sign_in_attributes custom claim.}).catch((error)=>{// Handle error.});
Web
firebase.auth().signInWithPopup(provider).then((result)=>{// User is signed in.// Provider data available in result.additionalUserInfo.profile,// or from the user's ID token obtained from result.user.getIdToken()// as an object in the firebase.sign_in_attributes custom claim.}).catch((error)=>{// Handle error.});
The ID token and UserInfo
object contains the user's email address only if it is provided in the
NameID attribute of the SAML assertion from the identity provider:
While the above examples focus on sign-in flows, you can use the same
pattern to link a SAML provider to an existing user using
linkWithRedirect() and linkWithPopup(), and re-authenticate a user with
reauthenticateWithRedirect() and reauthenticateWithPopup(), which can be
used to retrieve fresh credentials for sensitive operations that require
recent login.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-15 UTC."],[],[],null,["If you've upgraded to Firebase Authentication with Identity Platform, you can authenticate your users with Firebase\nusing the SAML identity provider of your choice. This makes it possible to use\nyour SAML-based SSO solution to sign users in to your Firebase app.\n\nFirebase Authentication supports only the service-provider initiated SAML flow.\n\nBefore you begin\n\nTo sign in users using a SAML identity provider, you must first collect some\ninformation from the provider:\n\n- **The provider's Entity ID**: A URI that identifies the identity provider.\n- **The provider's SAML SSO URL**: The URL of the identity provider's sign-in page.\n- **The provider's public key certificate**: The certificate used to validate tokens signed by the identity provider.\n- **Your app's Entity ID**: A URI that identifies your app, the \"service provider\".\n\nAfter you have the above information, enable SAML as a sign-in provider for your\nFirebase project:\n\n1. [Add Firebase to your JavaScript project](/docs/web/setup).\n\n2. If you haven't upgraded to Firebase Authentication with Identity Platform, do so. SAML authentication is only\n available in upgraded projects.\n\n3. On the [**Sign-in providers**](//console.firebase.google.com/project/_/authentication/providers)\n page of the Firebase console, click **Add new provider** , and then click\n **SAML**.\n\n4. Give a name to this provider. Note the provider ID that's generated:\n something like `saml.example-provider`. You'll need this ID when you add\n sign-in code to your app.\n\n5. Specify your identity provider's entity ID, SSO URL, and public key\n certificate. Also specify the entity ID of your app (the service provider).\n These values must exactly match the values your provider assigned to you.\n\n6. Save your changes.\n\n7. If you haven't already authorized your app's domain, add it to the allow\n list on the [**Authentication \\\u003e Settings**](//console.firebase.google.com/project/_/authentication/settings)\n page of the Firebase console.\n\nHandle the sign-in flow with the Firebase SDK\n\nTo handle the sign-in flow with the Firebase JavaScript SDK, follow these\nsteps:\n\n1. Create an instance of an `SAMLAuthProvider` using the provider ID you got in\n the Firebase console.\n\n Web \n\n import { SAMLAuthProvider } from \"firebase/auth\";\n\n const provider = new SAMLAuthProvider('saml.example-provider');\n\n Web \n\n var provider = new firebase.auth.SAMLAuthProvider('saml.example-provider');\n ``\n\n\u003c!-- --\u003e\n\n1. Authenticate with Firebase using the SAML provider object.\n\n You can either redirect the user to the provider's sign-in page or open the\n sign-in page in a pop-up browser window.\n\n **Redirect flow**\n\n Redirect to the provider sign-in page by calling `signInWithRedirect()`: \n\n Web \n\n import { getAuth, signInWithRedirect } from \"firebase/auth\";\n\n const auth = getAuth();\n signInWithRedirect(auth, provider);\n\n Web \n\n firebase.auth().signInWithRedirect(provider);\n\n After the user completes sign-in and returns to your app, you can obtain the\n sign-in result by calling `getRedirectResult()`. \n\n Web \n\n import { getAuth, getRedirectResult, SAMLAuthProvider } from \"firebase/auth\";\n\n const auth = getAuth();\n getRedirectResult(auth)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available using getAdditionalUserInfo()\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n Web \n\n firebase.auth().getRedirectResult()\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n **Pop-up flow**\n\n Web \n\n import { getAuth, signInWithPopup, OAuthProvider } from \"firebase/auth\";\n\n const auth = getAuth();\n signInWithPopup(auth, provider)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n Web \n\n firebase.auth().signInWithPopup(provider)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n The ID token and [UserInfo](/docs/reference/js/auth.userinfo#userinfoemail)\n object contains the user's email address only if it is provided in the\n `NameID` attribute of the SAML assertion from the identity provider: \n\n \u003cSubject\u003e\n \u003cNameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\"\u003etest@email.com\u003c/NameID\u003e\n \u003c/Subject\u003e\n\n2. While the above examples focus on sign-in flows, you can use the same\n pattern to link a SAML provider to an existing user using\n `linkWithRedirect()` and `linkWithPopup()`, and re-authenticate a user with\n `reauthenticateWithRedirect()` and `reauthenticateWithPopup()`, which can be\n used to retrieve fresh credentials for sensitive operations that require\n recent login."]]