How Directory Sync Works

ENTERPRISE

Firezone supports automatic directory sync from Google Workspace, Microsoft Entra ID, and Okta. This feature is automatically enabled when you create one of the Google Workspace, Microsoft Entra, or Okta connectors. No further configuration is necessary. Once the connector is activated, users, groups, and organizational units will be synced from your identity provider every few minutes.

How Firezone treats deleted entities

When you delete a user or group in your identity provider, Firezone soft-deletes them upon the next sync. This prevents data duplication if a user or group is only temporarily suspended, and helps preserve logged activity within Firezone for auditing purposes.

Deleting or suspending a user

When a user is deleted or suspended in your identity provider, Firezone will delete the associated identity the user signs in with, clearing all active Client and admin portal web sessions for that identity. The user will be immediately signed out of all Client and admin portal sessions.

This ensures terminated employees will have all Firezone access revoked within a few minutes of deleting or suspending them in your identity provider.

Deleting a group or organizational unit

When a group or organizational unit is deleted in your identity provider, Firezone will delete the group and all associated Policies. Any access granted by those Policies will be immediately revoked.

Nested groups and organizational units

Firezone syncs nested (sometimes called "transitive") memberships from your identity provider. This means user membership for a particular group is determined not only by its immediate members, but any child groups as well. This allows you to create nested group structures in your identity provider and have their memberships automatically reflected in Firezone.

For example, if you had the following group structure in your identity provider:

Everyone:
  - steve@company.com
  Support:
    - patrick@company.com
  Engineering:
    - bob@company.com
    - alice@company.com
    Devops:
      - john@company.com

You would see the following group memberships in Firezone after sync:

Group:Everyone:
  - steve@company.com
  - patrick@company.com
  - bob@company.com
  - alice@company.com
  - john@company.com
Group:Engineering:
  - bob@company.com
  - alice@company.com
  - john@company.com
Group:Support:
  - patrick@company.com
Group:DevOps:
  - john@company.com

Need additional help?

Try asking on one of our community-powered support channels:

Discussion forums: Ask questions, report bugs, and suggest features.
Discord server: Join discussions, meet other users, and chat with the Firezone team
Email us: We read every message.

Or try searching the docs:

Last updated: April 19, 2024