I like to seek some clarification for Ziti Desktop Edge issues using External signer (IDP)
I experienced this issue on a HA cluster (3 nodes)
My HA Cluster is served by Nginx load-balancer which is fine when redirected to node 1 or node 2 with ZAC installed.
My Node 3 does not had ZAC installed and funny if desktop edge being assigned controller3 as the controller it would have external provider not available in service logs.
Note: it might not be consistent but on my laptop machine it happened.
So i manually switched to another controller by adding controller2/1 and it works.
On my desktop i wasn't able to replicate this.
I'm not exactly sure what's going on or what you're trying to say. I've read your post a few times and I just don't quite understand what your problem is.
My guess is that you have three different configuration files and one or more controllers don't have the oidc endpoint defined but I can't tell that for sure.
I don't think you should load balance them using nginx at this time to take load balancer issues out of the equation. Also if all three of your nodes are advertising the same address that very well might be causing the problem.
There's kind of "too much" going on with this setup to really know how to have you proceed. The only reason for the load balancer would be for the management API or ZAC as far as I know and even that probably isn't all that useful in the long run.
I am not sure I'll be able to help much here, sorry. If you have a specific / more specific question I might be able to answer that.
Apologized for not being clear enough.
I have the following setup
3 HA Cluster Nodes
controllers.mydomain.com (nginx) Passthrough setup to compliance with mtls
nginx upstream (Cluster still use raft as per documented) no issues
(Leader are selected and write access ok and propagated to cluster as of test)
controller1.mydomain.com:8441 (with Zac setup)
controller2.mydomain.com:8441 (with Zac setup)
controller3.mydomain.com:8441 (no Zac setup)
Works well so far. This is to ensure we have a centralized lookup for Desktop Edge Client enrollment using URL ( configuration to https://controllers.mydomain.com) making setup easier for users instead of controller1/2/3
Above are my current setup
There's one situation i experienced during testing.
1.Windows Ziti Desktop Edge -> add identity via URL
2. Added https://controllers.mydomain.com
3. Ziti Desktop Edge connected to assigned api and presented "authorize idp" button as expected.
- User clicked on idp authorized , it launch browser to idp UI ( as per setup in external signer in controller)
- enter sso/idp credential and successfully authenticated.
no issues.
What i am reporting:
there's 1 time controller3.mydomain.com:8441 was assigned by nginx to Ziti Desktop Edge and when clicked "authorize idp" icon , it failed to launch browser to configured idp. (Auth URL
)
Service logs showing : no provider available.
What i did:
- I clicked on "Forget this identity"
- Re-add using url , this time i typed in controller1/2.mydomain.com:8441
- browser launched and able to authenticate without issues. This is to ensure the cluster settings are correct
What's my question:
is there any dependencies on ZAC? I doubt it.
Latest Status:
problem is not persistent and now seem ok with all 3 controllers.
when i posted this i thought it was caused by controller3 not having ZAC being configured.
just want to check if there's similar issues being reported
The ZAC has no bearing in this equation at all. My guess is that there's some sort of model replication issue for the ext-jwt-signer.
There are no similar issues reported.
Ah, well is definitely just fine and makes sense.