User Authentication

Firezone supports the following authentication methods:

  1. Local email/password (default)
  2. SSO authentication via OpenID Connect
  3. SSO authentication via SAML 2.0

If your Identity Provider doesn't work with the methods listed above, contact us about a custom integration.

Integrate an SSO provider

We've included instructions on how to set up Firezone with several popular identity providers using our Generic OIDC integration:

If your identity provider is not listed above, but has a generic OIDC or SAML connector, please consult their documentation to find instructions on obtaining the configuration settings required. Instructions for setting up Firezone with any generic OIDC provider can be found here.

Open a Github issue to request documentation or submit a pull request to add documentation for your provider.

The OIDC redirect URI

For each OIDC provider a corresponding URL is created for redirecting to the configured provider's sign-in URL. The URL format is where CONFIG_ID is the OIDC Config ID for that particular provider.

For example, the OIDC config below:


would generate the following OIDC login URL:


This URL could then be distributed to end users for direct navigation to the identity provider's login portal for authentication to Firezone.

Enforce periodic re-authentication

Periodic re-authentication can be enforced by changing the setting in settings/security. This can be used to ensure a user must sign in to Firezone periodically in order to maintain their VPN session.

You can set the session length to a minimum of 1 hour and maximum of 90 days. Setting this to Never disables this setting, allowing VPN sessions indefinitely. This is the default.


To re-authenticate an expired VPN session, a user will need to turn off their VPN session and sign in to the Firezone portal (URL specified during deployment).

See detailed Client Instructions on how to re-authenticate your session here.

VPN connection status

A user's connection status is shown on the Users page under the table column VPN Connection. The connection statuses are:

  • ENABLED - The connection is enabled.
  • DISABLED - The connection is disabled by an administrator or OIDC refresh failure.
  • EXPIRED - The connection is disabled due to authentication expiration or a user has not signed in for the first time.

Need additional help?

Try asking on one of our community-powered support channels:

Or try searching the docs: