Using Authentik to authenticate users at network level

Hi All,

I'm new to OpenZiti and have some questions about its implementation.

I understand Ziti can connect users, devices, and applications to services on a virtual network (Ziti network). You can either integrate the SDK into your application or use a client tunneller application. I'm currently using Authentik (an IdP supporting OIDC/OAuth, SAML, Proxy, LDAP, Radius) for authentication and authorization at the application level. This works great, but I want to explore ZTNA with OpenZiti to handle network-level authentication/authorization.

I've seen JWK and Certificates used for user authentication in the videos. I aim to keep things user-friendly, and I'm unsure if I can use Authentik as the auth method for users of OpenZiti endpoint applications. BrowZer appears to be a browser with the SDK, which may not suit all my services that either require or work better with a native app (NextCloud, Jellyfin, Immich, Home Assistant, RDP, SSH).

My current setup:

• https://app.domain.com -> HAProxy on PFSense firewall (accessible internally and externally)
• https://app.int.domain.com -> HAProxy on LAN interface only (accessible internally; uses WireGuard for external access)

Layout: Domain > PFSense (HAProxy) > Routed to VLAN (DMZ/LAN) > Server

Questions:

1. How can I use my Authentik install to authorize at not only the application layer but also the Ziti virtual network layer with tunneler apps?
2. If using Authentik as an IdP, how do I ensure logins expire for external users? Currently, users need to re-authenticate after a few days with my apps but I want to be sure the same happens with end users connecting to Ziti.
3. Can I integrate other security tools into the connection process (e.g., vulnerability detection or device verification for compliance)?

Thanks for your time and the great software!

Hi @007bond007, welcome to the community and to OpenZiti!

As you discovered, BrowZer will cover http-based services, but might not cover other use cases.

1. How can I use my Authentik install to authorize at not only the application layer but also the Ziti virtual network layer with tunneler apps?

Unfortunately, at this time you can't do this but I believe this is a priority and coming soon to tunnelers! When it's ready, one of us can ping you back to try it out if you'd like. It sounds like it will probably start getting worked on soon. What tunnelers do you want to use? (windows, macos, ios, android, linux, all of the above)

2. If using Authentik as an IdP, how do I ensure logins expire for external users? Currently, users need to re-authenticate after a few days with my apps but I want to be sure the same happens with end users connecting to Ziti.

Do I understand you correctly, you're looking to have the app time out and force users to re-auth whether over OpenZiti or not? It sounds like the apps currently support this, so that wouldn't actually change. Are you looking to also force the user to have to authenticate to get back onto the overlay network? (after the tunnelers support OIDC)

3. Can I integrate other security tools into the connection process (e.g., vulnerability detection or device verification for compliance)?

Right now, the desktop/mobile edges support some posture checks (continuous authorization model) but they don't currently integrate with external endpoint software. That is another thing that does come up now-and-then and might be on the roadmap, but it's not implemented at this time.

We're pleased you are enjoying OpenZiti! If you haven't checked out zrok, you might enjoy checking that out too!

Thankyou for the warm welcome

1. Thankyou for confirming, this is what I suspected but wanted to be sure! Yes I'd love a ping back for this as it would make the user experience far more polished (SSO unifies the user experience so they login once and have access to everything, but behind the scenes enhanced security by ensuring security at the network and application layer with the same credentials). I'd be looking to use the Android, iOS, Windows tunnellers for this purpose (the Linux side would be for servers, so I wouldn't have them expire, if possible)
2. Yes the apps support this, but given OpenZiti doesn't currently support Idp logins, this question becomes less relevant. Essentially I was looking to see if users were/could be required to re-auth with Ziti after a certain period of time has passed (for example, if they were to lose their device - whomever found it could not simply click "login" and gain network/app access).
3. Good to know - this was more just curiosity as I dive deeper into the security world... thankyou!

Much appreciated sharing your perspective. It helps when we design features to understand how people are contemplating using it. I'll make sure to ping you back here when we have something to test out.