Problem: Automating Identity Creation for OpenZiti via Authentik

I'm currently experimenting with OpenZiti, with the goal of securing my SaaS application for future use. My setup involves a controller in Kubernetes, a separate VM running Browzer, and integration with Authentik as my identity provider (IdP). The entire purpose of this setup is to explore Zero Trust access for my clients.

Problem Summary

During my experimentation, I've run into a significant hurdle related to identity creation. My current configuration requires me to manually create an OpenZiti identity for each new user or client before they can log in via Authentik. This manual process is not a feasible solution for a real-world, scalable deployment.

The current workflow is:

1. A user successfully authenticates through Authentik.

2. However, their access is blocked because a corresponding OpenZiti identity does not yet exist.

3. I have to manually create the identity in OpenZiti to allow the user to proceed.

This manual step is a bottleneck and prevents me from achieving the seamless, automated user onboarding experience that's crucial for my future plans.

Goal

I'm looking for a way to automate the identity creation process. My goal is to have OpenZiti dynamically provision an identity for a user the very first time they log in via Authentik. This "Just-in-Time" (JIT) provisioning would eliminate the need for any manual intervention on my part.

Technical Details

I've already integrated Authentik as an external identity provider using OpenID Connect (OIDC). My research suggests that OpenZiti has a feature for external JWT signers and a concept of third-party auto-enrolled identities, which seems to be the solution I'm looking for.

I believe the correct path forward involves:

• Configuring an external JWT signer in OpenZiti that trusts Authentik.

• Creating or modifying an authentication policy to allow primary authentication via this external signer.

• Leveraging a claim from the JWT (e.g., email or a custom attribute) to automatically create a corresponding OpenZiti identity with appropriate attributes.

I'm looking for guidance or a detailed example of how to implement this "Just-in-Time" (JIT) identity provisioning. I want to avoid the manual pre-provisioning step and have OpenZiti dynamically create identities based on successful authentication from Authentik.

Is there a standard or recommended way to achieve this dynamic identity creation with OpenZiti and a custom OIDC provider like Authentik? Are there specific configuration settings or CLI commands I'm missing to enable this functionality?

Thank you for your help!

Hi @poithar - welcome to the community!

We are considering adding a lightweight feature to OpenZiti that does some limited auto-provisioning (similar to 3rp party CA auto-enrollment).

NetFoundry covers the enterprise-class use case via SCIM integration (auto-create Ziti identities and assign attributes when they are added to the IdP), so they “just work” on first login. If you’d like to talk with someone from NetFoundry (e.g., @PhilipGriffiths) I’m happy to connect you…

That would be a great feature! Other applications with oidc integration work that way too, like apache guacamole. It will auto create the user on first login, and also adds the groups from the group claim. That way the access policies can be made upfront for groups, and when a new user is onboarded in the idp and added to a group, all other applications are then auto configured correctly because of the group claim.

To automate identity creation in OpenZiti via Authentik, you can integrate Authentik as an external JWT signer. This allows dynamic identity creation based on authentication, using JWT claims like email or groups. Consider using SCIM for a more automated solution, similar to NetFoundry's approach.

FYI OpenZiti doesn't perform dynamic identity creation at this time. You will still need to generate the identity and map an external id accordingly. It's a feature we have discussed (as mentioned above), but not something that exists as of Aug 2025. Any IdP with proper support can be added, not just Authentik. Have you automated something to get dynamic identity creation, @LukeDope?