How to extend Firebase auth with SAML and OIDC SSO using Scalekit

Firebase Auth helped you get to production fast.

It handles email/password, magic links, and social login with just a few days’ effort. For most apps, that’s more than enough until…

… a customer asks for SSO.

Firebase Authentication integrates tightly with other Firebase services and industry-standard protocols like JWT, OAuth 2.0, and OpenID Connect, making it easy to connect with custom backends and identity providers. However, it lacks native SAML provider support, which is a common requirement for enterprise SSO.

They want to connect their identity provider—Okta, Entra ID, or Google Workspace. But Firebase Auth doesn’t support SAML or external OIDC providers. There’s no built-in way to plug in an enterprise IdP.

You don’t want to rip out Firebase. You just need to add one thing: enterprise SSO. A modular add-on to your existing auth set-up that seamlessly manages single-sign on for your enterprise customers across any identity provider that they use

Scalekit handles the SSO flow by connecting to your customer’s IdP, validating the login, and sending your app a signed token with user and org details. Scalekit acts as a SAML provider to bridge the gap for SAML authentication in Firebase. You use that token to link or create a Firebase user and continue the session as usual.

In this guide, you’ll integrate Scalekit with Firebase and go live with your first SSO connection, without changing your auth stack.

What Scalekit adds (Without replacing Firebase)

Scalekit sits alongside Firebase, just for SSO. Scalekit and Firebase can be easily integrated with other backend services and identity providers using industry standards like SAML 2.0, OAuth 2.0, and OpenID Connect.

You still use Firebase Auth to manage users and sessions—but for enterprise users, you’ll create or link accounts manually and issue a custom Firebase token using the Admin SDK. Scalekit works seamlessly with other Firebase services, not just authentication

Here’s what Scalekit adds:

• Org-level SSO config: Set up one SAML or OIDC connection per customer, without building custom flows.
• Hosted admin portal: Let your customer’s IT team configure their IdP themselves—no back-and-forth on metadata.
• SSO login URLs: Generate per-org login links to kick off the SSO flow.
• IdP simulator: Test the integration without needing a real IdP connection.
• Token exchange: After login, Scalekit sends your app a signed token with user identity and org details.

Firebase offers easy to use SDKs and ready made UI libraries that simplify the implementation of authentication and SSO flows. Firebase also provides backend services that support authentication, user management, and integration with custom backends

From there, you create or link the user in Firebase using the Admin SDK, then generate a custom Firebase auth token. You return this token to the frontend, where it’s used to complete the session via ^{signInWithCustomToken} method — completing the session inside Firebase.

That’s it! The user is signed in, and your app continues as usual.

Setting up Scalekit with Firebase: A step-by-step guide

Here’s how you’ll set up Scalekit as an SSO layer alongside Firebase Auth.

1. Add Scalekit as an OIDC provider in Firebase: ‍Go to the Firebase console, access your project settings, and add a new provider by creating a new OpenID Connect provider (grant type: code flow). You will need to specify the provider ID and enter the client secret and API keys provided by your Scalekit dashboard. Some SAML and OIDC features may require upgraded projects in Firebase Authentication with Identity Platform.‍
2. Add Firebase’s callback URL to Scalekit: Once you save the provider, Firebase gives you a callback URL. Copy it and add it as a Redirect URI in your Scalekit dashboard.‍
3. Update your login flow: In your frontend, initialize ^{oidc.scalekit} as a provider and trigger the login process using Firebase’s standard OAuth flow, such as ^{signInWithRedirect} or ^{signInWithPopup}, by initializing Scalekit as an OAuth provider

That’s it. Scalekit handles the SSO login. Firebase handles the rest. For detailed setup steps, check the official integration guide →

Implementing SSO with Callback URL and Redirect URI

When enabling Single Sign-On (SSO) for your Firebase application, the Callback URL and Redirect URI are critical pieces that connect your app with the chosen identity provider—whether that’s a SAML identity provider like Okta, Microsoft Entra, or Google Workspace. These URLs act as the bridge between your authentication flow and the external identity platform, ensuring that users are securely redirected back to your app after successful authentication.

Here’s how it works: When a user initiates SSO login, they’re sent to the identity provider’s login page. After the user authenticates—using their organization’s credentials—the identity provider generates a SAML assertion and redirects the user back to your Firebase application using the Callback URL (also known as the Redirect URI). This URL is registered both in your Firebase project and with the identity provider’s configuration, so only authorized redirects are allowed.

The Callback URL is where your Firebase app receives the authentication response, which includes the user’s identity and any additional details provided by the SAML protocol. Firebase then processes this information, allowing you to authenticate users seamlessly and grant them access to your app’s features.

What changes (and what doesn’t)

Adding Scalekit to your Firebase setup doesn’t mean rewriting your auth flow. You’re not replacing Firebase Auth, you’re just extending it to support enterprise SSO.

Scalekit takes care of the entire SSO handshake. It connects to your customer’s identity provider, manages per-organization routing, and handles the authentication flow end-to-end. Once authentication succeeds, Scalekit securely passes user and organization details back to your app so Firebase can continue the session as usual.

A key part of this workflow is Scalekit’s hosted Admin Portal, designed specifically for enterprise IT and security teams. Instead of exchanging metadata files, certificates, and configuration details over email or Slack, you can give your customers access to a self-serve portal where they configure their own SSO connection. From the Admin Portal, admins can select their IdP (Okta, Entra ID, Google Workspace, etc.), upload certificates, configure attributes, and test the connection—without any developer involvement on your side.

This removes one of the biggest operational bottlenecks in enterprise SSO onboarding. Your engineering team doesn’t need to manage SAML metadata, rotate certificates, or troubleshoot IdP-specific quirks. Customers configure and maintain their own setup, while you retain full control over how SSO is enforced and consumed inside your application.

Once the user logs in, Firebase picks up where Scalekit leaves off. It creates or links the user, manages sessions, issues tokens, and keeps everything in sync across devices, just like it does today. Firebase Authentication integrates tightly with other Firebase services and leverages industry standards such as OAuth 2.0, OpenID Connect, and SAML for secure integration with various identity providers. The flexibility of Firebase Authentication also allows you to extend the solution to work with a custom backend if needed.

Scalekit integrates out of the box with all major enterprise identity providers. This includes Okta, Microsoft Entra ID (Azure AD), Google Workspace, Ping Identity, OneLogin, Auth0, Keycloak, and other SAML or OIDC–compatible IdPs commonly used in enterprise environments. Each integration follows the same standardized flow, so supporting a new IdP doesn’t require custom logic or provider-specific code paths in your application.

For a complete list of supported providers and setup instructions, see the Scalekit integrations documentation →

So, in short, Scalekit handles SSO and Firebase does the rest.

Wrapping up

You chose Firebase because it let you move fast and that decision still holds up.

What Scalekit gives you isn’t a replacement or a workaround. It’s a clean extension that brings enterprise SSO into a stack you already trust.

No forks in your auth logic or n new abstraction to manage — just a simple addition that lets you close bigger customers, without losing the speed you started with.

Set up the Firebase + Scalekit integration →

FAQs

1. Does Firebase support enterprise SSO natively?

Firebase Authentication does not natively support SAML-based enterprise SSO or external enterprise identity providers like Okta or Microsoft Entra ID out of the box. While Firebase supports OAuth-based providers and OpenID Connect, adding enterprise SSO typically requires an additional identity layer. Scalekit fills this gap by acting as a bridge between enterprise IdPs and Firebase without replacing Firebase Auth.

2. Can I use Scalekit with both SAML and OIDC identity providers?

Yes. Scalekit supports both SAML 2.0 and OpenID Connect (OIDC), allowing you to connect with a wide range of enterprise identity providers. This means you can support legacy SAML-only IdPs as well as modern OIDC-based providers using the same integration pattern, while Firebase continues to manage users and sessions.

3. Do I need to change my existing Firebase authentication flow?

No. Adding Scalekit does not require rewriting your existing authentication logic. Your current login methods—email/password, magic links, social logins—continue to work as they do today. Scalekit simply introduces an additional login path for enterprise users, while Firebase remains the system of record for users, sessions, and tokens.

4. How do enterprise customers configure their own SSO setup?

Enterprise customers configure SSO through Scalekit’s hosted Admin Portal. Their IT teams can select their identity provider, upload certificates, configure attributes, and test the connection themselves. This self-serve model removes the need for manual metadata exchange or ongoing engineering involvement, making enterprise onboarding faster and more scalable.