Authentication

Firezone supports a wide variety of authentication providers, allowing you to authenticate users against whatever identity provider you're already using. See below for more in-depth guides for each supported provider:

Email (OTP): One-time passcode sent to a user's email.
Google: Google Workspace or personal Google accounts.
Microsoft Entra ID: Microsoft 365 and Azure accounts.
Okta: Okta Workforce Identity.
OpenID Connect (OIDC): Universal connector for any OIDC-compliant provider.

Common settings

The settings below apply to most or all authentication providers supported by Firezone.

Some providers support adding multiple instances to authenticate against different tenants or OAuth clients. Consult the specific provider guide for more details.

Default authentication provider

The Google, Entra, Okta, and OIDC providers support acting as the Default Provider for your account.

When enabled, client apps signing in will automatically be redirected to the default provider's sign-in page, streamlining the sign-in process.

To set a provider as the default:

Navigate to Settings -> Authentication in your Firezone admin portal
Under Default Provider, select the desired provider from the dropdown
Save your changes

Authentication context & lifetime

All authentication providers support configuring both the authentication context (admin portal vs client app) and session lifetime on a per-provider basis.

This flexibility allows you to enforce different security requirements for users accessing the admin portal versus those connecting via the client app to strike the right balance between security and usability.

Changing these settings will not automatically invalidate existing sessions. Click the Revoke All button on the provider details card to immediately invalidate all existing sessions created by this authentication provider.

To configure these:

Navigate to Settings -> Authentication in your Firezone admin portal
Edit the provider you wish to configure
Set the desired authentication context
Set the desired session lifetime for each context
Save your changes

Disabling a provider

You can disable an authentication provider without deleting it. This is useful if you want to temporarily prevent users from authenticating with a specific provider without losing its configuration, such as when replacing it or rotating credentials.

Disabling an authentication provider will immediately revoke all sessions created by that provider. Admins signed into the portal will be signed out and client apps will be disconnected.

To disable a provider:

Navigate to Settings -> Authentication in your Firezone admin portal
Click the toggle on the provider card to disable it
Confirm the action in the dialog that appears

Multi-factor authentication (MFA)

Firezone intentionally does not support multi-factor authentication (MFA) directly. Instead, we recommend setting any required MFA steps in your identity provider so you can apply a consistent MFA strategy for all of your SSO-connected applications, not just Firezone.

Here are links to MFA setup guides for some popular identity providers:

Need additional help?

See all support options or try asking on one of our community-powered support channels:

Discussion forums: Ask questions, report bugs, and suggest features.
Discord server: Join discussions, meet other users, and chat with the Firezone team
Email us: We read every message.

Or try searching the docs: