How Directory Sync Works
Firezone supports automatic directory sync from Google Workspace, Microsoft Entra ID, Okta, and JumpCloud. This feature is automatically enabled when you create one of the Google Workspace, Microsoft Entra, or Okta connectors. For the JumpCloud connector, a final setup step is required after creating the connector to activate JumpCloud's SCIM API. Once the connector is activated, users, groups, and organizational units will be synced from your identity provider every few minutes.
Role mapping
All synced users are assigned the unprivileged User
role by default. This role
is allowed to sign in from the Firezone Client, but has no access to the admin
portal. If you need to grant a synced user access to the admin portal, you can
manually assign the user the Admin
role by going to
Actors -> <actor name> -> Edit User
and updating their role appropriately.
Automatic role mapping is not currently supported. If this is a feature you would like to see, please let us know by leaving a comment on our GitHub issue tracker.
How Firezone treats deleted entities
When you delete a user or group in your identity provider, Firezone soft-deletes them upon the next sync. This prevents data duplication if a user or group is only temporarily suspended, and helps preserve logged activity within Firezone for auditing purposes.
Deleting or suspending a user
When a user is deleted or suspended in your identity provider, Firezone will delete the associated identity the user signs in with, clearing all active Client and admin portal web sessions for that identity. The user will be immediately signed out of all Client and admin portal sessions.
This ensures terminated employees will have all Firezone access revoked within a few minutes of deleting or suspending them in your identity provider.
Deleting a group or organizational unit
When a group or organizational unit is deleted in your identity provider, Firezone will delete the group and all associated Policies. Any access granted by those Policies will be immediately revoked.
Nested groups and organizational units
Firezone syncs nested (sometimes called "transitive") memberships from your identity provider. This means user membership for a particular group is determined not only by its immediate members, but any child groups as well. This allows you to create nested group structures in your identity provider and have their memberships automatically reflected in Firezone.
For example, if you had the following group structure in your identity provider:
Everyone:
- steve@company.com
Support:
- patrick@company.com
Engineering:
- bob@company.com
- alice@company.com
Devops:
- john@company.com
You would see the following group memberships in Firezone after sync:
Group:Everyone:
- steve@company.com
- patrick@company.com
- bob@company.com
- alice@company.com
- john@company.com
Group:Engineering:
- bob@company.com
- alice@company.com
- john@company.com
Group:Support:
- patrick@company.com
Group:DevOps:
- john@company.com
Need additional help?
See all support options or try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Discord server: Join discussions, meet other users, and chat with the Firezone team
- Email us: We read every message.