Authentication
Firezone supports the following authentication methods and identity providers:
- Email (OTP): Authenticate with a one-time passcode sent to a user's email.
- OpenID Connect (OIDC): Authenticate to any OpenID Connect provider using a universal OIDC connector.
- Google Workspace: Authenticate users and sync users and groups with Google Workspace.
- Microsoft Entra ID: Authenticate users and sync users and groups with Microsoft Entra ID.
- Okta: Authenticate users and sync users and groups with Okta.
It's possible to create multiple providers for Google Workspace, Microsoft Entra ID, Okta, and OIDC connectors. This allows you to authenticate users against multiple providers at the same time, each with different Groups and Policies applied to them.
Disabling the email provider can lock you out of your account in the event that all other identity providers become unusable. We recommend keeping at least one admin enabled for the email provider for account recovery. If you become locked out, contact support for assistance.
Session lifetime
The table below summarizes the session lifetimes for various components.
| Component | Auth Provider | Lifetime |
|---|---|---|
| Admin portal web UI | Email authentication | 10 hours |
| Admin portal web UI | OIDC and other identity providers | Copied from the OIDC access token lifetime, up to a maximum of 10 hours |
| Client applications | All identity providers | 10 hours |
| Service accounts | N/A | 365 days by default, configurable per token |
| Gateways | N/A | Indefinitely. Tokens must be explicitly revoked in the portal UI. |
When a session token expires or is revoked, the affected component is disconnected immediately and must reauthenticate to regain access to Resources. This includes web UI sessions for admins.