"I'm a beginner with OpenZiti and Zitadel. I've already deployed both and implemented some basic functionality. Based on my requirements, I want to enable access to OpenZiti services after logging in with a Zitadel account using username/password and 2FA. I understand that OIDC is required for this, but the configuration seems quite complex and I'm not sure where to start. Has anyone implemented this kind of integration?"
Hi @shujiepan, have you had a look around this forum for zitadel related posts? This one from last summer is probably quite relevant Zitadel integration
There's a few posts in there that might be relevant. There's also a YouTube I recorded for that thread which might help you as well. I'll link that here too
After that there's a doc page showing you what values are important, did you find that? ZITADEL | OpenZiti
It definitely feels daunting at first, I can appreciate that. Not only will you be dealing with OpenZiti terms but it sounds like you'll be learning Zitadel along the way and that's a lot. I've done it "many times" by now and I can assure you it gets easier the more you do it (like anything). 
Have a look through that thread, watch that video and if you need more help let me know. It might make a good "next video" for the learn OpenZiti series I started (but had to put on hiatus).
Let us know if that helps or if you get stuck.
General steps:
- setup openziti
- setup zitadel
- add zitadel application / project / user (see that doc)
- create openziti identity, make sure you add an external id to the identity mapping to a claim found in the zitadel token (this is probalby the trickiest part imo)
- try logging in with ZAC or with the ZDEW or try using the ziti CLI command to verify things are working, something like
ziti ops verify ext-jwt-signer oidc --controller-url https://ctrl.url.here zitadel-ext-jwt-signer
Thanks so much for the quick reply! Really appreciate it. I'll check out the video first and follow up here if I run into any issues.