Authentication

Firezone supports the following authentication methods and identity providers:

  1. Email (OTP): Authenticate with a one-time passcode sent to a user's email.
  2. OpenID Connect (OIDC): Authenticate to any OpenID Connect provider using a universal OIDC connector.
  3. Google Workspace: Authenticate users and sync users and groups with Google Workspace.
  4. Microsoft Entra ID: Authenticate users and sync users and groups with Microsoft Entra ID.
  5. Okta: Authenticate users and sync users and groups with Okta.

It's possible to create multiple providers for Google Workspace, Microsoft Entra ID, Okta, and OIDC connectors. This allows you to authenticate users against multiple providers at the same time, each with different Groups and Policies applied to them.

Disabling the email provider can lock you out of your account in the event that all other identity providers become unusable. We recommend keeping at least one admin enabled for the email provider for account recovery. If you become locked out, contact support for assistance.

Session lifetime

The table below summarizes the session lifetimes for various components.

ComponentAuth ProviderLifetime
Admin portal web UIEmail authentication10 hours
Admin portal web UIOIDC and other identity providersCopied from the OIDC access token lifetime, up to a maximum of 10 hours
Client applicationsAll identity providers1 week
Service accountsN/A365 days by default, configurable per token
GatewaysN/AIndefinitely. Tokens must be explicitly revoked in the portal UI.

When a session token expires or is revoked, the affected component is disconnected immediately and must reauthenticate to regain access to Resources. This includes web UI sessions for admins.