SSO with Google

Firezone supports authenticating users with Google using Firezone's public OAuth client. This works with both personal Google accounts (Gmail) and Google Workspace accounts. Only one Google provider can be configured per Firezone account.

Enable Google authentication

To enable Google authentication:

1. Go to Settings -> Authentication in your admin portal.
2. Click Add Provider and select Google.
3. Name the provider — this is shown to users on the sign-in page.
4. Select the authentication context:
   • Client Applications and Admin Portal: Users can sign in to both the Firezone client applications and admin portal using Google SSO.
   • Client Applications Only: Users can sign in to the Firezone client applications using Google SSO but not the admin portal.
   • Admin Portal Only: Users can sign in to the admin portal using Google SSO but not the Firezone client applications.
5. Portal session lifetime: (optional) Set a custom session lifetime for users signing in to the admin portal with Google SSO. Leave blank to use the default session lifetime.
6. Client session lifetime: (optional) Set a custom session lifetime for users signing in to the Firezone client applications with Google SSO. Leave blank to use the default session lifetime.
7. Click Verify Now to complete an authentication flow and confirm the provider is working.
8. Click Save.

Users will now see this provider as an option on the Firezone sign-in page.

How it works

Firezone uses a public OAuth client to authenticate users with Google. When a user signs in:

1. They're redirected to Google's sign-in page.
2. After authenticating with Google, they're redirected back to Firezone.
3. Firezone matches the user using the iss and sub claims from Google. For users provisioned via directory sync, this identity already exists. For manually created users, Firezone matches by email on first sign-in and saves the Google identity for subsequent sign-ins.

No Google Cloud project or OAuth client setup is required on your end.

Data accessed

Firezone requests the following scopes from Google:

• openid — Required for authentication
• email — Used to match users on first sign-in
• profile — Used for the user's display name

Firezone does not access your contacts, calendar, or any other Google data.

Supported account types

The Google provider supports:

• Personal Google accounts (Gmail) — Any user with a @gmail.com or custom domain linked to a personal Google account
• Google Workspace accounts — Users managed by your organization's Google Workspace

Provisioning users

Users must exist in Firezone before they can sign in with Google. You can:

• Create users manually in the admin portal or via the REST API
• Enable Google directory sync (Enterprise plans) to automatically provision users and groups from Google Workspace

Troubleshooting

User not found

If a user sees a "user not found" or similar error when signing in, it means no matching user exists in Firezone. The user must be created manually or provisioned via directory sync before they can sign in.

Access blocked by Workspace admin

Google Workspace admins can restrict which third-party apps users are allowed to sign into. If a user sees "Access blocked" or "This app is blocked", the Workspace admin will need to allow Firezone in the Google Admin console under Security → API controls → App access control.

Revoking access

Users can revoke Firezone's access to their Google account from their Google Account security settings. Revoking access does not delete the user from Firezone or end their active sessions, but they will need to re-authorize on their next sign-in.