The question is which token. By specifiying "one-time token", it makes it sound to me that the user is not using oidc-based authentication.
Here's exactly what I would do:
- install OpenZiti
- create an external-jwt-signer for your oidc provider (entra) and make sure it works...
- create an identity for "user", when creating the user:
- add the expected external id for the user.
- Under "show more options" choose the "Enrollment Type" of None (assuming you used ZAC?)
- From the Authentication -> JWT Signers page, click the "Download Network JWT" from the upper right
- send your user that JWT to enroll
This is NOT a "one-time token" JWT. That JWT is used for any and all users - it's the 'network jwt' (one jwt, for the whole network).
Alternatively, you could enable alt server certs for your controller and then you don't need the ext jwt signer, you can have the user add an identity using URL. For example, with ZDEW that would look like this:
I would also tell you to start with the Default authentication policy for starters, until you get the first step working.
Hope that helps?