Authentication
Firezone supports a wide variety of authentication providers, allowing you to authenticate users against whatever identity provider you're already using. See below for more in-depth guides for each supported provider:
- Email (OTP): Authenticate with a one-time passcode sent to a user's email.
- Google Workspace: Authenticate users and optionally sync users and groups with Google Workspace.
- Microsoft Entra ID: Authenticate users and optionally sync users and groups with Microsoft Entra ID.
- Okta: Authenticate users and optionally sync users and groups with Okta.
- OpenID Connect (OIDC): Authenticate to any OpenID Connect provider using a universal OIDC connector.
It's possible to create multiple providers for the Google Workspace, Microsoft Entra ID, Okta, and OIDC connectors. This allows you to authenticate users against multiple providers at the same time, each with different Groups and Policies applied to them.
Disabling the email provider can lock you out of your account in the event that all other identity providers become unusable. We recommend keeping at least one admin enabled for the email provider for account recovery. If you become locked out, contact support for assistance.
Multi-factor authentication (MFA)
Firezone intentionally does not support multi-factor authentication (MFA) directly. Instead, we recommend setting any required MFA steps in your identity provider so you can apply a consistent MFA strategy for all of your SSO-connected applications, not just Firezone.
Here are links to MFA setup guides for some popular identity providers:
Session lifetime
Firezone uses a separate authentication session token for each component that authenticates to either the Admin portal and the API. See the table below for the session lifetimes of these tokens:
| Component | Auth Provider | Lifetime |
|---|---|---|
| Admin portal web UI | Email authentication | 10 hours |
| Admin portal web UI | OIDC and other identity providers | Copied from the OIDC access token lifetime, up to a maximum of 10 hours |
| Client applications | All identity providers | 2 weeks |
| Service accounts | N/A | 365 days by default, configurable per token |
| Gateways | N/A | Indefinitely. Tokens must be explicitly revoked in the portal UI. |
When a session token expires or is revoked, the affected component is disconnected immediately and must reauthenticate to regain access to Resources. This includes web UI sessions for admins.
Need additional help?
Try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Discord server: Join discussions, meet other users, and chat with the Firezone team
- Email us: We read every message.