andrewpmartinez
commented
1 year ago For SSO integrations OpenZiti currently supports federation via JWTs through a feature called External JWT Signers; which allows OpenZiti to trust either a specific signer certificate or certificates provided through a JWKS endpoint. This allows JWTs to designate which identity a JWT should associate with (for policy resolution) and allows the use of another feature called API Session Certificates which can be used to create a scoped certificate for short term usage with Edge Routers. These features were developed piecemeal with very specific use cases dealing with an upcoming feature that is entering beta now.
That said, some architectural changes are coming to OpenZiti this year, which include enhancements to the authentication/authorization feature set. One of those is SAML support, along with renaming/reworking/moving External JWT Signers as well. I would love to hear the exact flow and use cases you are looking to enable - calling out specific IdPs (if possible) and workflows (e.g., OpenID Connect Implicit.).
Lastly, I would like to transfer this issue to the github.com/openziti/edge repository - as that repository is responsible for authentication/authorization.
ank-everstake
lukasmrtvy
dovholuknf
Context
I have searched all docs available on how to fast enroll users through SSO, but no gain(
Summary
Currently, as far as I understood, there is no easy way to onboard users through Gsuite/Okta/Github SSO mechanism. This is a bit strange as zero-trust solution which is not scalable in this matter will eventually break the flow. As I see I need to setup some external CA tools/infra that supports binding with SSO in exchange of certs/jwt and make a connection with OpenZiti to accept those certs as a primary auth.
A bit cumbersome, and dispersing the logic between 2 solutions is a bad idea, especially for small to medium deployments.
Will it be possible to add SSO/SAML to OpenZiti?