Can OpenZiti enroll an integrated Ziti application as an identity instead of a user or device? For example, if the application is distributed to multiple users, the posture policy would remain the same for all of them. If not any recommendation to make it possible?
Hi @Faezz001, welcome to the community and to OpenZiti!
If you were to create an identity, enroll the identity and then distribute that identity along with your app... EVERYONE using your app would use the same identity. In general this would be a very bad practice for two reasons, you're distributing a secret (the identity file is a public/private keypair), and all the instances would connect using the same identity. It makes me think we have a disconnect of understanding.
Could you describe a bit more what you're trying to do? Do the users "login" or "sign up" for the app? Is it a web-app you're trying to expose? I feel like I don't understand what you're trying to do and a bit of extra description would help me provide the best guidance here.
We are trying to simplify the enrollment process since the app has login page for authentication. The app provides service apps. Some of it are exposed to Internet and others are not. We just want the user able to reach the private service app. The private service app will have another layer of authentication.
Hi @Faezz001, that's a common use case. I still don't know if I have a good picture of the topology... If it were me, I would have a public, authorized endpoint that allows your user to provision the identity on their local device. I assume this is an 'app' (iOS/Android) and not "web-based", right?
Then, when they want to access the 'private' stuff, you make a part of the app where they basically "enroll". That flow would be something like:
- user contacts your server using your app
- server is authorized to update the openziti overlay itself and creates a new identity for the user
- server delivers a jwt to the user's device
- user's device "enrolls" that identity
- app uses the identity to connect to the private parts
That's a basic overview of what I would setup