OIDC Authentication / SSO

Hi,
is there sth. like an SSO integration (OIDC) in the ZAC ? This would enable us to manage ZAC users centrally in an IDP like Keycloak. I’m asking as we have many tools in place that need user-management and managing all these users for each and every tool separately would just not be possible.

BR
Jan

Not at this time, no. I filed this issue in github if you want to follow it explore OIDC authentication · Issue #149 · openziti/ziti-console · GitHub

Cheers

I'm researching open-source VPN replacements for our company. I set up and tested OpenZiti, and while I find it very impressive, it seems to lack SSO integration. I see the GitHub issue has been open since July 2023. I am excited to see you working on OIDC in your recent ZitiTV update! When do you think you'll have OIDC support for the Linux tunneler?

FWIW, in our ideal workflow, we would want something very similar to the aws cli sso auth, where you can run aws sso login in your terminal, authenticate in your browser, and access the project services.

Hi @rochecompaan, welcome to the community and to OpenZiti!

This one comment is covering multiple questions.

ZAC + OIDC

Just last week @rgalletto actually did some work to allow people to authenticate with the ZAC using an external jwt signer. It's still in the "being worked on" phase (there's no doc and it's not released yet) but it's coming soon, believe it or not. :slight_smile:

linux + OIDC

the Ziti Desktop Edge for Windows uses the ziti-edge-tunnel under the hood. So the linux ziti-edge-tunneler also supports OIDC auth. The difference is there's no UI for you to click on to login. You'll have to use the CLI and run: ziti-edge-tunnel ext-jwt-login

Thanks for the pointers @thelumberjack! I'll try to hook up the tunneler with an OIDC provider with the command you shared.

I'm very pleased to hear that adding this to ZAC is already in progress. I'm very familiar with Angular and I will definitely dig into the source code at some point.