OpenZiti and Athenz

I was recently asked if OpenZiti would integrate with Athenz ( with the latter working as a third-party IdP and possibly policy engine.

Any thoughts would be appreciated!

1 Like

My current understanding of Athenz is that it can issue SPIFFE-compliant x509 certificates. The Ziti Edge Management API supports adopting external CAs (which Athenz would be providing). During authentication, Ziti Edge can map SPIFFE IDs to Ziti identities by setting the externalId to a specific SPIFFE ID and configuring the Athenz CA in ZIti to support looking for SPIFFE IDs in the certificates from the Athenz CA.

That would allow authentication via Athenz issued certs to specific Ziti identities using SPIFFE IDs as the externalId.

After that is done, creating services and policies in Ziti and Ahtenz that allow connectivity to a service should allow Athenz to issuer certificates, Ziti and Athenz to enforce policies, and Ziti to delegate the CA ownership to Athenz.


I remember seeing SPIFFE support in one of the zititv episodes. Is that available in prod now?

I thought to explore externalId to find out how to update it… but was unable to locate it.

Any tips?

It is and undocumented, not on the CLI, and only available via the Management REST API. I am working on a slew of documentation around authz/n.

It is present on the 3rd Party CA entities under the externalIdClaim property which allows the specification of x509 Claims that will match a SPIFFE ID to externalId.

1 Like

externalId is present on identities. You can set them via the CLI or the Management API.

ziti edge create/update identity --external-id

1 Like