Enterprise Readiness
Apr 28, 2025

How to extend Firebase auth with SAML and OIDC SSO using Scalekit

Tamilselvi Ramasamy
PMM

Firebase Auth helped you get to production fast.

It handles email/password, magic links, and social login with just a few days’ effort. For most apps, that’s more than enough until…

… a customer asks for SSO.

They want to connect their identity provider—Okta, Entra ID, or Google Workspace. But Firebase Auth doesn’t support SAML or external OIDC providers. There’s no built-in way to plug in an enterprise IdP.

You don’t want to rip out Firebase. You just need to add one thing: enterprise SSO.

Scalekit handles the SSO flow by connecting to your customer’s IdP, validating the login, and sending your app a signed token with user and org details.

You use that token to link or create a Firebase user and continue the session as usual.

In this guide, you’ll integrate Scalekit with Firebase and go live with your first SSO connection, without changing your auth stack.

What Scalekit adds (Without replacing Firebase)

Scalekit sits alongside Firebase, just for SSO.

You still use Firebase Auth to manage users and sessions—but for enterprise users, you’ll create or link accounts manually and issue a custom Firebase token using the Admin SDK.

Firebase + SSO

Here’s what Scalekit adds:

  • Org-level SSO config: Set up one SAML or OIDC connection per customer, without building custom flows.
  • Hosted admin portal: Let your customer’s IT team configure their IdP themselves—no back-and-forth on metadata.
  • SSO login URLs: Generate per-org login links to kick off the SSO flow.
  • IdP simulator: Test the integration without needing a real IdP connection.
  • Token exchange: After login, Scalekit sends your app a signed token with user identity and org details.

From there, you create or link the user in Firebase using the Admin SDK, then generate a custom Firebase Auth token. You return this token to the frontend, where it’s used to complete the session via signInWithCustomToken method — completing the session inside Firebase.

That’s it! The user is signed in, and your app continues as usual.

Setting up Scalekit with Firebase: A step-by-step guide

Here’s how you’ll set up Scalekit as an SSO layer alongside Firebase Auth.

  1. Add Scalekit as an OIDC provider in Firebase: Go to your Firebase Auth settings and create a new OpenID Connect provider (grant type: code flow). Use the client ID, secret, and issuer URL from your Scalekit dashboard.
  2. Add Firebase’s callback URL to Scalekit: Once you save the provider, Firebase gives you a callback URL. Copy it and add it as a Redirect URI in your Scalekit dashboard.
  3. Update your login flow: In your frontend, initialize oidc.scalekit as a provider and trigger the login process using Firebase’s standard OAuth flow, such as signInWithRedirect or signInWithPopup, by initializing Scalekit as an OAuth provider

That’s it. Scalekit handles the SSO login. Firebase handles the rest. For detailed setup steps, check the official integration guide →

What changes (and what doesn’t)

Adding Scalekit to your Firebase setup doesn’t mean rewriting your auth flow. You’re not replacing Firebase Auth, you’re just extending it to support enterprise SSO.

Scalekit takes care of the SSO handshake. It connects to your customer’s identity provider, manages per-org routing, and handles the login flow. You also get a hosted portal where your customer’s IT team can configure their IdP directly—no need to manage metadata or certificates yourself.

Once the user logs in, Firebase picks up where Scalekit leaves off. It creates or links the user, manages sessions, issues tokens, and keeps everything in sync across devices, just like it does today.

Your existing login methods—email/password, magic links, Google sign-in, all of them stay untouched. So does your user model, your session handling, and your frontend logic. You’re not introducing risk. You’re just enabling a new login path for the customers who need it.

So, in short, Scalekit handles SSO and Firebase does the rest.

Wrapping up

You chose Firebase because it let you move fast and that decision still holds up.

What Scalekit gives you isn’t a replacement or a workaround. It’s a clean extension that brings enterprise SSO into a stack you already trust.

No forks in your auth logic or n new abstraction to manage — just a simple addition that lets you close bigger customers, without losing the speed you started with.

Set up the Firebase + Scalekit integration →

No items found.
On this page
Toc link here
Share this article
Copy link
Start scaling
into enterprise
Add SSO for free
More from our blog
More articles
Enterprise Readiness
Apr 21, 2025
Add enterprise SSO on top of your Auth0 setup
Tamilselvi Ramasamy
Enterprise Readiness
Apr 19, 2025
Add enterprise SSO to AWS Cognito without writing federation logic
Tamilselvi Ramasamy
More articles

Acquire enterprise customers with zero upfront cost

Every feature unlocked. No hidden fees.
Start for free
Schedule a demo
Start Free
$0
/ month
3 FREE SSO/SCIM connections
Built-in multi-tenancy and organizations
SAML, OIDC based SSO
SCIM provisioning for users, groups
Unlimited users
Unlimited social logins
Start freeSchedule a demoPricingLogin
Products
Single Sign-OnSCIMSocial LoginAdmin Portal
Solutions
One-click IdP loginSSO sandboxAutomate user accessRole & group assignmentUnified SCIM API
For developers
DocsAPI ReferenceSDKsStatusRelease Notes
Integrations
Auth0 + SSOFirebase + SSOIdentity providersSCIM directoriesSocial connectorsView all integrations
Compare
vs Auth0vs WorkOS
Resources
Auth0 alternativesWorkOS alternativesBlog
Authentication guides
Single Sign-onSocial LoginsOAuthPasswordlessSCIMDirectory SyncTop SSO ToolsSSO Testing
Company
AboutLegalTrust center
Contact us
hi@scalekit.com
16192 Coastal Hwy Lewes,
DE 19958
© 2025 ScaleKit Inc.  All rights reserved
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation and collect statistics on usage.
Accept 👌
Enterprise Readiness

How to extend Firebase auth with SAML and OIDC SSO using Scalekit

Tamilselvi Ramasamy
Apr 28, 2025

Firebase Auth helped you get to production fast.

It handles email/password, magic links, and social login with just a few days’ effort. For most apps, that’s more than enough until…

… a customer asks for SSO.

They want to connect their identity provider—Okta, Entra ID, or Google Workspace. But Firebase Auth doesn’t support SAML or external OIDC providers. There’s no built-in way to plug in an enterprise IdP.

You don’t want to rip out Firebase. You just need to add one thing: enterprise SSO.

Scalekit handles the SSO flow by connecting to your customer’s IdP, validating the login, and sending your app a signed token with user and org details.

You use that token to link or create a Firebase user and continue the session as usual.

In this guide, you’ll integrate Scalekit with Firebase and go live with your first SSO connection, without changing your auth stack.

What Scalekit adds (Without replacing Firebase)

Scalekit sits alongside Firebase, just for SSO.

You still use Firebase Auth to manage users and sessions—but for enterprise users, you’ll create or link accounts manually and issue a custom Firebase token using the Admin SDK.

Firebase + SSO

Here’s what Scalekit adds:

  • Org-level SSO config: Set up one SAML or OIDC connection per customer, without building custom flows.
  • Hosted admin portal: Let your customer’s IT team configure their IdP themselves—no back-and-forth on metadata.
  • SSO login URLs: Generate per-org login links to kick off the SSO flow.
  • IdP simulator: Test the integration without needing a real IdP connection.
  • Token exchange: After login, Scalekit sends your app a signed token with user identity and org details.

From there, you create or link the user in Firebase using the Admin SDK, then generate a custom Firebase Auth token. You return this token to the frontend, where it’s used to complete the session via signInWithCustomToken method — completing the session inside Firebase.

That’s it! The user is signed in, and your app continues as usual.

Setting up Scalekit with Firebase: A step-by-step guide

Here’s how you’ll set up Scalekit as an SSO layer alongside Firebase Auth.

  1. Add Scalekit as an OIDC provider in Firebase: Go to your Firebase Auth settings and create a new OpenID Connect provider (grant type: code flow). Use the client ID, secret, and issuer URL from your Scalekit dashboard.
  2. Add Firebase’s callback URL to Scalekit: Once you save the provider, Firebase gives you a callback URL. Copy it and add it as a Redirect URI in your Scalekit dashboard.
  3. Update your login flow: In your frontend, initialize oidc.scalekit as a provider and trigger the login process using Firebase’s standard OAuth flow, such as signInWithRedirect or signInWithPopup, by initializing Scalekit as an OAuth provider

That’s it. Scalekit handles the SSO login. Firebase handles the rest. For detailed setup steps, check the official integration guide →

What changes (and what doesn’t)

Adding Scalekit to your Firebase setup doesn’t mean rewriting your auth flow. You’re not replacing Firebase Auth, you’re just extending it to support enterprise SSO.

Scalekit takes care of the SSO handshake. It connects to your customer’s identity provider, manages per-org routing, and handles the login flow. You also get a hosted portal where your customer’s IT team can configure their IdP directly—no need to manage metadata or certificates yourself.

Once the user logs in, Firebase picks up where Scalekit leaves off. It creates or links the user, manages sessions, issues tokens, and keeps everything in sync across devices, just like it does today.

Your existing login methods—email/password, magic links, Google sign-in, all of them stay untouched. So does your user model, your session handling, and your frontend logic. You’re not introducing risk. You’re just enabling a new login path for the customers who need it.

So, in short, Scalekit handles SSO and Firebase does the rest.

Wrapping up

You chose Firebase because it let you move fast and that decision still holds up.

What Scalekit gives you isn’t a replacement or a workaround. It’s a clean extension that brings enterprise SSO into a stack you already trust.

No forks in your auth logic or n new abstraction to manage — just a simple addition that lets you close bigger customers, without losing the speed you started with.

Set up the Firebase + Scalekit integration →

No items found.
Ship Enterprise Auth in days
Join the waitlist

More Related Posts

All articles
M2M authenticationMCP authorization layer: Securing agentic workflows
Ravi Madabhushi
Apr 28, 2025
M2M authenticationOAuth Tokens Explained: for M2M Authentication
Srinivas Karre
Apr 22, 2025
Enterprise ReadinessAdd enterprise SSO on top of your Auth0 setup
Tamilselvi Ramasamy
April 21, 2025
Enterprise ReadinessAdd enterprise SSO to AWS Cognito without writing federation logic
Tamilselvi Ramasamy
April 19, 2025