Firezone supports a wide variety of authentication providers, allowing you to authenticate users against whatever identity provider you're already using. See below for more in-depth guides for each supported provider:

  1. Email (OTP): Authenticate with a one-time passcode sent to a user's email.
  2. Google Workspace: Authenticate users and optionally sync users and groups with Google Workspace.
  3. Microsoft Entra ID: Authenticate users and optionally sync users and groups with Microsoft Entra ID.
  4. Okta: Authenticate users and optionally sync users and groups with Okta.
  5. JumpCloud: Authenticate users and optionally sync users and groups with JumpCloud.
  6. OpenID Connect (OIDC): Authenticate to any OpenID Connect provider using a universal OIDC connector.

It's possible to create multiple providers for the Google Workspace, Microsoft Entra ID, Okta, JumpCloud, and OIDC connectors. This allows you to authenticate users against multiple providers at the same time, each with different Groups and Policies applied to them.

Disabling the email provider can lock you out of your account in the event that all other identity providers become unusable. We recommend keeping at least one admin enabled for the email provider for account recovery. If you become locked out, contact support for assistance.

Multi-factor authentication (MFA)

Firezone intentionally does not support multi-factor authentication (MFA) directly. Instead, we recommend setting any required MFA steps in your identity provider so you can apply a consistent MFA strategy for all of your SSO-connected applications, not just Firezone.

Here are links to MFA setup guides for some popular identity providers:

Session lifetime

Firezone uses a separate authentication session token for each component that authenticates to either the Admin portal and the API. See the table below for the session lifetimes of these tokens:

ComponentAuth ProviderLifetime
Admin portal web UIEmail authentication10 hours
Admin portal web UIOIDC and other identity providersCopied from the OIDC access token lifetime, up to a maximum of 10 hours
Client applicationsAll identity providers2 weeks
Service accountsN/A365 days by default, configurable per token
GatewaysN/AIndefinitely. Tokens must be explicitly revoked in the portal UI.

When a session token expires or is revoked, the affected component is disconnected immediately and must reauthenticate to regain access to Resources. This includes web UI sessions for admins.

Need additional help?

See all support options or try asking on one of our community-powered support channels:

Or try searching the docs:
Last updated: June 18, 2024