How to integrate OpenZiti+Zitadel , for user/password login

"I'm a beginner with OpenZiti and Zitadel. I've already deployed both and implemented some basic functionality. Based on my requirements, I want to enable access to OpenZiti services after logging in with a Zitadel account using username/password and 2FA. I understand that OIDC is required for this, but the configuration seems quite complex and I'm not sure where to start. Has anyone implemented this kind of integration?"

Hi @shujiepan, have you had a look around this forum for zitadel related posts? This one from last summer is probably quite relevant Zitadel integration

There's a few posts in there that might be relevant. There's also a YouTube I recorded for that thread which might help you as well. I'll link that here too

After that there's a doc page showing you what values are important, did you find that? ZITADEL | OpenZiti

It definitely feels daunting at first, I can appreciate that. Not only will you be dealing with OpenZiti terms but it sounds like you'll be learning Zitadel along the way and that's a lot. I've done it "many times" by now and I can assure you it gets easier the more you do it (like anything). :slight_smile:

Have a look through that thread, watch that video and if you need more help let me know. It might make a good "next video" for the learn OpenZiti series I started (but had to put on hiatus).

Let us know if that helps or if you get stuck.

General steps:

  • setup openziti
  • setup zitadel
  • add zitadel application / project / user (see that doc)
  • create openziti identity, make sure you add an external id to the identity mapping to a claim found in the zitadel token (this is probalby the trickiest part imo)
  • try logging in with ZAC or with the ZDEW or try using the ziti CLI command to verify things are working, something like ziti ops verify ext-jwt-signer oidc --controller-url https://ctrl.url.here zitadel-ext-jwt-signer

Thanks so much for the quick reply! Really appreciate it. I'll check out the video first and follow up here if I run into any issues.