sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-26 04:16:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added JWT group sync instructions for each IdP (#545)

Browse Source 
* Added JWT group sync instructions for each IdP
This commit is contained in:
shuuri-labs
2026-01-13 19:52:57 +01:00
committed by GitHub
parent ca6aa9fcc3
commit c31143ab83
23 changed files with 379 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/pages/selfhosted/identity-providers/index.mdx
View File

@@ -146,6 +146,32 @@ This allows you to support different authentication methods for different user g
<img src="/docs-static/img/selfhosted/identity-providers/idp-login.png" alt="Multiple Identity Providers" className="imagewrapper"/>
</p>
### User Provisioning
#### JWT Group Sync
If you've connected an external IdP, NetBird can optionally fetch a user's groups via JWT claim. These groups automatically obtain representations within NetBird and will be applied to the corresponding NetBird user. To enable JWT group sync,
navigate to Settings > Groups and toggle 'Enable JWT group sync'.
<p>
<img src="/docs-static/img/selfhosted/identity-providers/jwt-group-sync.png" alt="JWT Group Sync Settings" className="imagewrapper"/>
</p>
Specify the JWT claim to be used as the user's groups list (normally 'groups'). You can optionally specify a 'JWT allow groups' - this group will need to exist in your chosen claim for the user in order for that user to be granted access to NetBird.
Your IdP may require specific configuration in order to pass a groups claim to NetBird. For detailed per-IdP implementation steps, see below. If your IdP isn't on the list, refer to the project's documentation.
- [Google](/selfhosted/identity-providers/managed/google-workspace#configuring-jwt-groups-claim)
- [Microsoft Entra ID](/selfhosted/identity-providers/managed/microsoft-entra-id#configuring-jwt-groups-claim)
- [Okta](/selfhosted/identity-providers/managed/okta#configuring-jwt-groups-claim)
- [JumpCloud](/selfhosted/identity-providers/managed/jumpcloud#configuring-jwt-groups-claim)
- [Zitadel](/selfhosted/identity-providers/zitadel#configuring-jwt-groups-claim)
- [PocketID](/selfhosted/identity-providers/pocketid#configuring-jwt-groups-claim)
- [Authentik](/selfhosted/identity-providers/authentik#configuring-jwt-groups-claim)
- [Keycloak](/selfhosted/identity-providers/keycloak#configuring-jwt-groups-claim)
#### SCIM
NetBird supports provisioning users and groups through SCIM. However, this functionality is not available in the open source Community Edition. It is offered only in the cloud-managed version of NetBird or through a [Commercial License](https://netbird.io/pricing#on-prem) for enterprise self-hosted deployments.
### Best Practices
1. **Start simple** - Begin with local users, add external providers as needed
@@ -181,11 +207,6 @@ This allows you to support different authentication methods for different user g
For provider-specific troubleshooting, see the individual provider pages.
## User Provisioning (SCIM)
In addition to OIDC-based authentication, NetBird supports provisioning users and groups through SCIM.
However, this functionality is not available in the open source Community Edition. It is offered only in the cloud-managed version of NetBird or through a [Commercial License](https://netbird.io/pricing#on-prem) for enterprise self-hosted deployments.
## Migration Guide and Backwards Compatibility
If you have an existing NetBird deployment using a standalone IdP (like Zitadel from the previous quickstart), you have several options: