ContextQMD
Back to Firezone

Authentication

website/src/app/kb/authenticate/readme.mdx

1.0.53.7 KB
Original Source

import Alert from "@/components/DocsAlert"; import SupportOptions from "@/components/SupportOptions";

Authentication

Firezone supports a wide variety of authentication providers, allowing you to authenticate users against whatever identity provider you're already using. See below for more in-depth guides for each supported provider:

  1. Email (OTP): One-time passcode sent to a user's email.
  2. Google: Google Workspace or personal Google accounts.
  3. Microsoft Entra ID: Microsoft 365 and Azure accounts.
  4. Okta: Okta Workforce Identity.
  5. OpenID Connect (OIDC): Universal connector for any OIDC-compliant provider.

Common settings

The settings below apply to most or all authentication providers supported by Firezone.

Some providers support adding multiple instances to authenticate against different tenants or OAuth clients. Consult the specific provider guide for more details.

Default authentication provider

The Google, Entra, Okta, and OIDC providers support acting as the Default Provider for your account.

When enabled, client apps signing in will automatically be redirected to the default provider's sign-in page, streamlining the sign-in process.

To set a provider as the default:

  • Navigate to Settings -> Authentication in your Firezone admin portal
  • Under Default Provider, select the desired provider from the dropdown
  • Save your changes

Authentication context & lifetime

All authentication providers support configuring both the authentication context (admin portal vs client app) and session lifetime on a per-provider basis.

This flexibility allows you to enforce different security requirements for users accessing the admin portal versus those connecting via the client app to strike the right balance between security and usability.

<Alert color="warning"> Changing these settings will **not** automatically invalidate existing sessions. Click the **Revoke All** button on the provider details card to immediately invalidate all existing sessions created by this authentication provider. </Alert>

To configure these:

  • Navigate to Settings -> Authentication in your Firezone admin portal
  • Edit the provider you wish to configure
  • Set the desired authentication context
  • Set the desired session lifetime for each context
  • Save your changes

Disabling a provider

You can disable an authentication provider without deleting it. This is useful if you want to temporarily prevent users from authenticating with a specific provider without losing its configuration, such as when replacing it or rotating credentials.

<Alert color="warning"> Disabling an authentication provider will immediately revoke **all sessions** created by that provider. Admins signed into the portal will be signed out and client apps will be disconnected. </Alert>

To disable a provider:

  • Navigate to Settings -> Authentication in your Firezone admin portal
  • Click the toggle on the provider card to disable it
  • Confirm the action in the dialog that appears

Multi-factor authentication (MFA)

Firezone intentionally does not support multi-factor authentication (MFA) directly. Instead, we recommend setting any required MFA steps in your identity provider so you can apply a consistent MFA strategy for all of your SSO-connected applications, not just Firezone.

Here are links to MFA setup guides for some popular identity providers:

<SupportOptions />