Skip to main content
Fireworks uses single sign-on (SSO) as the primary mechanism to authenticate with the platform. By default, Fireworks supports Google SSO. If you have an enterprise account, Fireworks supports bringing your own identity provider using:
  • OpenID Connect (OIDC) provider
  • SAML 2.0 provider
Coordinate with your Fireworks AI representative to enable the integration.

OpenID Connect (OIDC) provider

1

Create OIDC client application

Create an OIDC client application in your identity provider, e.g. Okta.
2

Configure client

Ensure the client is configured for “code authorization” of the “web” type (i.e. with a client_secret).
3

Set redirect URL

Set the client’s “allowed redirect URL” to the URL provided by Fireworks. It looks like:
https://fireworks-<your-company-name>.auth.us-west-2.amazoncognito.com/oauth2/idpresponse
4

Note down client details

Note down the issuer, client_id, and client_secret for the newly created client. You will need to provide this to your Fireworks.ai representative to complete your account set up.

SAML 2.0 provider

1

Create SAML 2.0 application

Create a SAML 2.0 application in your identity provider, e.g. Okta.
2

Set SSO URL

Set the SSO URL to the URL provided by Fireworks. It looks like:
https://fireworks-<your-company-name>.auth.us-west-2.amazoncognito.com/saml2/idpresponse
3

Configure Audience URI

Configure the Audience URI (SP Entity ID) as provided by Fireworks. It looks like:
urn:amazon:cognito:sp:<some-unique-identifier>
4

Create Attribute Statement

Create an Attribute Statement with the name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
and the value user.email
5

Keep default settings

Leave the rest of the settings as defaults.
6

Note down metadata URL

Note down the “metadata url” for your newly created application. You will need to provide this to your Fireworks AI representative to complete your account set up.

Just-In-Time (JIT) user provisioning

JIT user provisioning automatically creates user accounts when they sign in through SSO for the first time. When enabled, users who authenticate through your identity provider are automatically added to your Fireworks account without requiring manual user creation. To enable JIT user provisioning, use the --enable-jit-user-provisioning flag when creating your identity provider with firectl.

Enforce SSO

When SSO enforcement is enabled, account access is restricted to users with approved tenant domains only. Users with matching domains must authenticate via the identity provider, and users with other domains are blocked. To enforce SSO, use the --enforce-sso flag when creating your identity provider with firectl, or toggle “Enforce SSO for all users” in the Fireworks console.

Troubleshooting

Invalid samlResponse or relayState from identity provider

This error occurs if you are trying to use identity provider (IdP) initiated login. Fireworks currently only supports service provider (SP) initiated login. See Understanding SAML for an in-depth explanation.

Required String parameter ‘RelayState’ is not present

See above.