User Authentication
Firezone supports the following authentication methods:
- Local email/password (default)
- SSO authentication via OpenID Connect
- SSO authentication via SAML 2.0
If your Identity Provider doesn't work with the methods listed above, contact us about a custom integration.
Integrate an SSO provider
We've included instructions on how to set up Firezone with several popular identity providers using our Generic OIDC integration:
If your identity provider is not listed above, but has a generic OIDC or SAML connector, please consult their documentation to find instructions on obtaining the configuration settings required. Instructions for setting up Firezone with any generic OIDC provider can be found here.
Open a Github issue to request documentation or submit a pull request to add documentation for your provider.
The OIDC redirect URI
For each OIDC provider a corresponding URL is created for redirecting to the
configured provider's sign-in URL. The URL format is
https://firezone.example.com/auth/oidc/CONFIG_ID
where CONFIG_ID
is the OIDC
Config ID for that particular provider.
For example, the OIDC config below:
would generate the following OIDC login URL:
https://firezone.example.com/auth/oidc/google
This URL could then be distributed to end users for direct navigation to the identity provider's login portal for authentication to Firezone.
Enforce periodic re-authentication
Periodic re-authentication can be enforced by changing the setting in
settings/security
. This can be used to ensure a user must sign in to Firezone
periodically in order to maintain their VPN session.
You can set the session length to a minimum of 1 hour and maximum of 90 days. Setting this to Never disables this setting, allowing VPN sessions indefinitely. This is the default.
Re-authentication
To re-authenticate an expired VPN session, a user will need to turn off their VPN session and sign in to the Firezone portal (URL specified during deployment).
See detailed Client Instructions on how to re-authenticate your session here.
VPN connection status
A user's connection status is shown on the Users page under the table column
VPN Connection
. The connection statuses are:
- ENABLED - The connection is enabled.
- DISABLED - The connection is disabled by an administrator or OIDC refresh failure.
- EXPIRED - The connection is disabled due to authentication expiration or a user has not signed in for the first time.
Need additional help?
Try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Public Slack group: join discussions, meet other users, and meet the contributors