Skip to main content

Authenticate

Firezone supports the following authentication methods:

  1. Local email/password (default)
  2. SSO authentication via OpenID Connect
  3. SSO authentication via SAML 2.0
note

If your Identity Provider doesn't work with the methods listed above, contact us about custom integrations.

Integrate an SSO Provider

We've included instructions on how to set up Firezone with several popular identity providers using our Generic OIDC integration:

If your identity provider is not listed above, but has a generic OIDC or SAML connector, please consult their documentation to find instructions on obtaining the configuration settings required. Instructions for setting up Firezone with any generic OIDC provider can be found here.

Open a Github issue to request documentation or submit a pull request to add documentation for your provider.

Need help setting up SSO? Join our Firezone Slack group for community support or contact us for paid, hands-on support .

The OIDC Redirect URL

For each OIDC provider a corresponding URL is created for redirecting to the configured provider's sign-in URL. The URL format is https://firezone.example.com/auth/oidc/PROVIDER where PROVIDER is the OIDC key for that particular provider.

For example, the OIDC config below

{
"google": {
"client_id": "...",
"...": "..."
},
"okta": {
"client_id": "...",
"...": "..."
}
}

would generate the following URLs:

  • https://firezone.example.com/auth/oidc/google
  • https://firezone.example.com/auth/oidc/okta

These URLs could then be distributed to end users for direct navigation to the identity provider's login portal for authentication to Firezone.

Enforce Periodic Re-authentication

Periodic re-authentication can be enforced by changing the setting in settings/security. This can be used to ensure a user must sign in to Firezone periodically in order to maintain their VPN session.

You can set the session length to a minimum of 1 hour and maximum of 90 days. Setting this to Never disables this setting, allowing VPN sessions indefinitely. This is the default.

Re-authentication

To re-authenticate an expired VPN session, a user will need to turn off their VPN session and sign in to the Firezone portal (URL specified during deployment).

See detailed Client Instructions on how to re-authenticate your session here.

VPN Connection Status

A user's connection status is shown on the Users page under the table column VPN Connection. The connection statuses are:

  • ENABLED - The connection is enabled.
  • DISABLED - The connection is disabled by an administrator or OIDC refresh failure.
  • EXPIRED - The connection is disabled due to authentication expiration or a user has not signed in for the first time.