Is there any way to have multiple enrolled devices for an identity?
I've been testing OpenZiti to replace several different infrastructure components and have the basic setup working, using OIDC to authenticate against Entra ID. The use of centralised authentication is a prerequisite for the project.
The problem I've run into is that many users have multiple devices, often at least 2, that will need to be used.
It doesn't appear to be possible as far as I can see to enroll and manage multiple devices per identity. It's also not possible to have multiple identities with the same external ID.
Is there any way to handle this situation without multiple user accounts in the identity provider, or having something in the middle like Keycloak performing some mapping?
The best way to accomplish this is actually with and OIDC-based approach. While I personally feel like individual identities enrolled on devices is a bit of a stronger security posture, it's not necessary and it's absolutely acceptable to use an external jwt signer and oidc as your primary authentication method to the overlay. You can log into your phone and into your desktop both with ext jwt signers and have one identity and multiple authentications.
Right now, the Mac/iOS work for ext jwt signer support is in flight for this (expected very soon), but Android, ziti-edge-tunnel (linux) or Ziti Desktop Edge for Windows will all support external auth.
An alternative, if you want separate identities would be to use a different field in the mapping. Since you can use any claim from the JWT, you could make a secondary identity and map it using some other field in the jwt.
That make sense? You mentioned you are using that, but somehow it's not working out for you have the same identity authenticated on multiple devices?
Thanks for the quick response - I'm probably misunderstanding something then
For my test I added an identity, selected an auth policy and specified the external ID. The user then enrolled their device using the one-time token and had access.
What I couldn't work out was how they add that identity to a second device. For example the windows client has options for JWT (which they don't have, as they probably used it for the first enrolment) or URL (which I can't get to work - on Windows it reports a timeout, on Android it crashes).
The multiple identities using an alternative field would work for someone with two devices, but starts to get messy for people with lots of different devices, such as cross-platform developers.
This is NOT a "one-time token" JWT. That JWT is used for any and all users - it's the 'network jwt' (one jwt, for the whole network).
Alternatively, you could enable alt server certs for your controller and then you don't need the ext jwt signer, you can have the user add an identity using URL. For example, with ZDEW that would look like this:
I would also tell you to start with the Default authentication policy for starters, until you get the first step working.
That's working now - disabling user enrolment and using the network JWT was the key, thanks for that information. I see it's covered in the documentation; somehow I completely missed it.
Are there any plans to track the enrolled devices? ZAC only seems to show the last device I enrolled. In this case I enrolled a windows device, then an android device. It's not a deal breaker by any means, just a question.
So far I'm pretty impressed. The SSO integration I needed is working and access controls look comprehensive. The client is working well, and once the Mac version gains external JWT signing (and presumably iOS too) that will cover the full range of clients. One of the current solutions I'm replacing can't do mobile clients at all, so that's a win.
Next on my list will be to investigate the audit logging capabilities to see what kind of information I can gather on user and administrative actions and resource accesses.
If the logging covers everything I need for compliance purposes, then I'll do a proper production style install and let some proper users test it out!
I don't think ZAC actually does that. It sounds like happenstance to me. As for "tracking" enrolled devices, that gets sticky. What does it mean to 'track' them and what does it mean to be enrolled? I'm not trying to be glib, really I'm not! It's common for everyone/every project to consider these things differently is all.
For example, if you use external jwt signers, like you are, technically, those devices never actually "enroll" per-se. Yes, they added an identity and they authenticated to the OpenZiti overlay, but they don't have a single identity, one that OpenZiti adds to a database of identities since the AuthN is delegated to the IdP. (as opposed to using the OTT-type, like you did at first. There, there is a single known cert/fingerprint that the controller can use to track). So again, it just kinda depends on what you want and need. The NetFoundry console (NetFoundry's SaaS OpenZiti offering) will keep track of the last time an identity was connected (referred to as "Last Seen"). I think that's what you're looking for and I believe that's done by watching OpenZiti events. You could emulate the same thing, but since it requires watching those events, I doubt taht the ZAC would ever track them until the controller tracks it. Which it might some day, just doesn't right now...
There are a bucket of events to review: Events | OpenZiti. The NetFoundry SaaS offering collects all these events and uses them to make nice graphs about usage, dial success/fails etc.
