Identity creation

After trying out here and there I managed to get most basic working and very impressed with the results so far.

Being a person who deployed commercial product for the similar I am impressed what openziti can deliver.

I have networking background hence it is not difficult to understand the overlay fabric concepts. The main challenge I am facing would be creation of identity .

May I asked the community what would be the best approach for using this solution on a larger scale with hundred of users?

  1. I been searching here and there but not able to get full picture how I should associate this solution with 200 users such as using ldap as user based

  2. On my commercial deployment we used saml and linked to azure AD that consist of few thousands users

  3. On smaller client environment we have 200 plus users on open ldap .

I am wondering how would I automate identity creation using ldap etc?

While I can code some automation using python / Java script etc. such as

  1. User authenticate via ldap/ad and once authenticated it sent some api to generate enrolment / automate jwt token for user etc. is this right approach or there’s better approach ?

I want to avoid manually creating hundreds of user/identity

Any pointers here ?

I'll see if I can get someone a bit more familiar with ldap to comment. I believe this is the sort of thing the saas version maintained by NetFoundry does, but I don't work much in there and I'm not familiar with any techniques or pitfalls associated. I believe there's code that reads the directory and possibly groups and generates identity information for each entry, but I don't know what sort of directory deployment works best, etc.

There's another option that comes to mind some people like to use. If you can/have maintained a ca of your own, you can use a 3rd party ca. You'd need to automate the delivery of the identify file/ key pair to devices, but that's an alternative if you want to go that direction.

I'll poke some people to see if I can get any additional useful details around ldap.

@Crystech what you are describing (and @TheLumberjack eluded to) is exactly what our Client Sync offering in the SAAS platform does.
It connects to an LDAP source (Azure AD or old style AD) and syncs users to identities. It sets up attributes based on their groups in the AD.
All you have to do in the network is to set up policies according to the scheme you want.
You have the option to auto-delete users as they are removed from the groups as well so you can manage all users/identities in the AD.
As a side note, we even support having a private LDAP on-prem with no open ports as long as you deploy an edge router on the network.

1 Like

Only work with saas ? Any module / plug-in or guides for non saas version ?

Nice to hear it is supported in saas

Right, this has been done only in the paid platform, which is free for small teams. @jens is the directory sync feature available too for small teams, if only for testing?

For self-hosting there's not already a piece of open source software that does this. The concept is fairly simple, as @jens described: the integration is a Ziti admin and creates one Ziti Identity for each user record in the directory, applying Ziti roles based on group membership. You could also filter user and device records by other attributes in the DN or properties to select them to receive Ziti identities. You could email the enrollment token to the email address in the user record.

This StackOverflow answer suggests another approach is feasible: let Active Directory serve as OpenID provider (OIDC), which your Ziti instance can be configured to trust as an external ID provider.

Would you like to know more about external ID? Here's some links to help raise questions. EDIT: On second thought, OIDC isn't directly applicable to this case.

I can confirm that the feature is available in the free 'Teams' tier.

1 Like

Thanks all for replying , look like my current option is to write a script to sync and create identity based on ldap group etc l.

Really like the project and wanted it to be deployed as non critical deployment at the moment and perhaps one day took over Zscaler as a production.