Hello,
After using Ziti for a while, I've noticed the Edge Tunnel apps appear to be a bit buggy especially when it comes to using IDPs. I've mentioned them in other threads, but to sum it up:
- Silent disconnection from the ziti tunnel: Sometimes, on Android and Windows it will "appear" as if you are connected still, but things just don't work until you disable/re-enable the identity and sometimes also turn off/turn on ziti (power button above identities), this leads to confusion, and multiple re-logins with IDP auth. Sleeping a PC causes this, possibly rebooting a mobile device, and sometimes it's just not clear why (could there be a heartbeat of some type to verify tunnel is working?).
- UX/UI nuances: for less technical users, I've run into some getting very confused that they need to open ziti, look at the service count to see if it shows a red login or yellow lock icon (odd that they appear different on android vs windows), click on that and if in Android, Also then click on "Login with JWT", wait for the browser to open, login, and then check to see if things are working.
- Sometimes partial service availability: Sometimes, a handful of services will work but one specific one (or maybe multiple?) don't, until you re-auth again
Given all this, I've had to resort to changing back to device based/cert auth. This has its nuances too, where you need to (as the admin) generate a new cert/device identity in ziti for every single device a user has, and then transfer that cert to each device (devices I don't own or have control over) which the user needs to use to add an identity - a challenge with non-tech users. Perhaps a good middle ground feature would be a hybrid approach:
- User installs the Edge Tunnel app
- User enters URL (I don't think this was consistently supported across clients, which is also confusing given the lack of documentation here) to controller
- Browser opens (immediately) to auth to the IDP, user logs in
- Ziti issues a cert and transfers it to the Edge client automatically
- Any future "logins" automatically happen with the cert.
Pros of this approach:
- Allows using user based auth with the IDP (which I can apply MFA/WebAuthn to) initially
- Validates a specific device via certs
- Less admin AND user intervention just to setup a new device
- Streamlined - the setup process takes care of what could be a complicated "do this, then that" instruction.
- No file transfers needed
Happy to hear on the Ziti team's take on this and other community members experience so far with the IDP/Cert methods.
NOTE: I realize I am a "homelabber" and I may have unique use cases, but distributed workforces are common, often times without central management in SMBs with less technical users, and IDPs fill a gap here, having worked with many SMBs in the past and consulting work - I think Open Ziti has great promise once it tackles some of the bugs and UI/UX issues present.