I recently set up a new Ziti instance with version 1.1.9 and then upgraded it to 1.1.15. It seems there were no issues during the upgrade process. However, I haven't tested it with the existing profiles on a Linux machine yet. I only tested it with a single identity on the Mac Edge Desktop, and it worked fine.
Do you expect old ziti identity on linux machine would fail to load?
Oh i think i got it, incase of rollback, we need old database file not the new upgraded one.
Right. You must be prepared to restore the old ziti version's database snapshot if you downgrade the ziti controller deployment.
@qrkourier I ve upgraded controller and router, and configured IDP and borwzer related stuffs in Ziti-console,
-Ext-jwt signers,
when i try to access url
Request URL:
https://ziti-browzer.xxxx.com/edge/client/v1/authenticate?method=ext-jwt
Request Method:
POST
Status Code:
401 Unauthorized
i just get like this, not sure if this is requesting ziti-browzer certificate and it is failing?
Could you help me fix this?
Based on the failed POST authenticate request in your web browser's network log, I assume the controller did not recognize the access token (JWT) from your identity provider in that request.
It could be a configuration problem with the auth policy or the identity's external ID. The identity must have an external ID that matches the identity provider's claim you specified when creating the ext-jwt-signer. That is, if you set --claims-property "email" then the JWT must have claim "email" with value matching the identity's external ID. The identity must also be set to use the auth-policy with which you associated the ext-jwt-signer, e.g., update identity "alice" --auth-policy "abcd1234" --external-id "alice@example.com".
Your web browser prompted you to select a client certificate because you navigated to a web server that accepts client certificates. Still, there's no need to present a client certificate to access a web app through BrowZer. You will only authenticate with OIDC through your identity provider, not with a client certificate.
@qrkourier I think i found out the issue, my keycloak is internal its not public, i used ziti edge desktop to give access only to keycloak url, so that browzer can login, but looks like on back end controller also needed access to keycloak url, it was failing on controller side to validate the token.
for testing purpose i switched to Auth0 and tested and looks it is forwarding now, but i get different issue, I assume OIDC should be accessible from controlller as well not only on client side.
My V host and ziti service is pointing to AWS ALB Loadbalancer which intern has its own certificate, so it is throwing me below error.
@qrkourier i think i figured it out, to use schema https instead of http.
one more question how to use claim instead of email to custom parameter?
You want to use an IdP claim other than email to match the identities' externalId properties. Any claim in the IdP's access token should work, and I have only used email.
You must specify which claim to use when you create the external JWT signer, and the value of the claim must match an authorized identity's external ID.
yeah i made it work, created custom user attribute and added common ziti-id for an organization. So no need to create multiple identiy and policies in ziti and use one per organization.
I have couple of question
zitiBrowzer:
> bootstrapper:
> logLevel: "info"
> loadBalancer:
> host: "assistant.test.com" # browzer.ziti.example.com
> port: 443
> scheme: http
> targets:
> - vhost: "assistant.test.com" # httpbin.ziti.example.com
> service: "aws-dev-assistant" # httpbin-service
> path: /
> scheme: https
> idp_issuer_base_url: "https://test.test.com/realms/demo"
> idp_client_id: "assistnt-dev"
> controller:
> host: "ziti-browzer.test.com" # client.ziti.example.com
> port: 443
> runtime:
> logLevel: "info"
> #nodeTlsRejectUnauthorized: 0
> originTrailToken: "xxxxxxxx"
>
> ingress:
> tlsSecret: "demo-browzer-tls" # ziti-browzer-tls
> ingressClassName: "nginx" # nginx
> # annotate to bind a publicly trusted ingress cert and use plain HTTP for upstream requests
> # to the target service
> annotations:
> cert-manager.io/cluster-issuer: "letsencrypt-dns-cloudflare" # cloudflare-dns01-issuer-prod
> nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
> nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
> #nginx.ingress.kubernetes.io/ssl-passthrough: "true"
loadBalancer:
host: "assistant.test.com"
or even to Vhost ?
i have created originTrailToken, how does it renew automaticaly? do i need to manually renew and deploy browzer every 3 months? How to set that permanently?
how to disable or make this text " OpenZiti BrowZer is Bootstrapping your web app" not show on browser so that for clients and brozer remove icon too?