I am trying out v2.0.0-pre5. I am using Okta as my external JWT signer and have set “groups” for enrollAttributeClaimsSelector. Everything is good - when a user logs in for the first time and there is no existing identity on OpenZiti, OpenZiti will create the user, retrieve the list of groups from groups claim and assign to the user as roles. However, if there’s any update to the user groups (remove or assign to a new OpenZiti Okta group) and user logs in again, the roles won’t updated. Is there any solution to this other than delete the user and let OpenZiti recreates again?
And also, as the ZAC admin is determined by the “IS ADMIN” option, is there any way to set a user as admin based on the Okta group assignment? (i.e. making use of enrollAtrributeClaimsSelector or something)
First, I definitely recommend updating. All the v2 pre releases are continuing to find bugs and we're up to pre7 now and pre8 is very soon to come (today i think?)
However, if there’s any update to the user groups (remove or assign to a new OpenZiti Okta group) and user logs in again, the roles won’t updated.
I believe that's correct. That is an 'enterprise' type feature and not one that OpenZIti currently performs for you. NetFoundry (the SaaS offering does handle this). For now, the OpenZiti offering will only perform that initial creation.
is there any way to set a user as admin based on the Okta group assignment?
You know, I don't really know. I haven't had a moment to play with this functionality myself but I need try since the 2.0 release is imminent and there have been some requests for Ziti TVs covering this stuff so I'll be restarting them shortly!