OIDC implementation in OpenZiti

Hi again everyone.

First, let me thank you all for your help on my last post.

I've finished configuring most of the Ziti's implementation, and I am now running some tests on the Ziti network. However, I'm having some doubts regarding accessing the network using an external Identity Provider, such as Okta.

From my understanding from the documentation, one should configure the desired external IdP as a JWT signer, and then it should be possible to use it to create/authenticate/authorize users against the controller.
Nonetheless, and after configuring Okta as an external JWT signer, I can only use it to authenticate in the controller (with my Okta credentials) after manually creating the identity in the controller.

Taking these into consideration, I have some doubts:

  • Is it possible to configure JIT, to create users automatically in the controller, with this OIDC integration?
  • Is it possible to use this configuration, to authenticate identities in other components other than the controller? I'm specifically thinking about the Ziti desktop agent, for Windows, but if you can give some information for the other components, I'm more than thankful!
  • Lastly, is it possible to use some kind of UEBA to trigger certain actions in the Ziti Network? I.e. If i access from a certain geographical location that I've previously configured to be blocked, I would like for the ziti controller/IdP to block my login, disable the user, and log it. Is this something feasible?

Thank you all once again for your help!

No. This sort of feature has been discussed in the past but it's not something OpenZiti supports at this time. I'm not sure if this is the sort of thing OpenZiti would ever actually implement, it's possible. Right now, it's not on any roadmap I'm aware of.

At the end of the day, it's most important to authenticate to the controller. Right now, linux tunnelers the Ziti Desktop Edge for Windows, and the Ziti Mobile Edge for Android can all use external jwt signers for authentication. MacOS/iOS are coming very soon.

At this time, it's not built into anything OpenZiti. However, if the UEBA software can run commands or call the REST API you can use the UEBA software to perform the actions you desire. So it's feasible but not part of OpenZiti in any deeply integrated way. (Hopefully that makes sense)

1 Like

As Clint says, not something in OpenZiti today or future, tbh, its more the type of thing we create in NetFoundry. For example, we have done exactly this with Azure AD (though I think its GraphAPI rather than OIDC - https://support.netfoundry.io/hc/en-us/articles/360028298092-Client-Sync-Integration-with-Azure-Active-Directory. I expect there are ways it could be done with Okta via OIDC.

1 Like

So that I don't have to create new topic, I have a question suggested topic.

If I get

groups from keycloak:
vpn_admin_group
vpn_admin_web

Can I somehow claim this directly?

If I already use external_id: user_123

1 Like

No. That's the sort of thing that I'm not sure if OpenZiti would ever do, to be honest. It's the sort of thing that i don't believe is standardized (idp groups). It'd be one thing to materialize an identity based on a claim (which I'm still not sure if OpenZiti would do) but reading groups seems like it might end up being too much of an unknown.

At this time, neither of those ideas are planned. I appreciate you making your desire known though by voicing it in the forum. User feedback is something we take into consideration.

My idea comes from experience with fortigate where I can link any group to the policy for the user group.

For me it would be enough to label the group = role or tag.

Yes, unfortunately, at the moment we are planning a large migration from fortigate SSL VPN to openZiti and so far everything suits us, we will simply throw a direct connector from keycloak to openZiti and I really appreciate your work for such opportunities.

Got it. I'll take a deeper look into the API, and check if it is possible to achieve something along those lines with Okta.

Thank you all for your help!

I believe groups is a standard IDP request - other overlay VPN solutions employ this technique and read from the groups claim (which i think you can configure to have a different claim name) and this feature I would also love to see - it would mean being able to add a user to an IDP, assign them a group and their networking AND applications access are automatically applied. Clean, less prone to errors (best for security) and automated.

This is literally something we are implementing in the NetFoundry platform using SCIM, it is very close to being released. As far as I am aware, we have no plans to release it into the OpenZiti code, but things could change. This replaces the Azure AD integration I mentioned earlier, as its more robust, secure, and works with many different IdPs and standards.

Sounds great

[REDACTED CONTACT DETAILS - @TheLumberjack]

1 Like