Need a way to enroll SDK identities with IDP authentication

[ekoby]

Possibly have a stable JWT for each JWT signer with all needed information -- controller address, IDP URL, etc

[qrkourier]

Sounds useful, but only for OIDC claims because x509 claims do not presume a particular protocol for submitting a CSR, so it's treated as an out-of-band concern. Both OIDC ("external JWT signer") and x509 claims use the Identity property externalId to map the signed document from an external IdP to an existing, Ziti Identity, which may or may not be "enrolled."

Suppose we implement a stable (not secret, reusable) JWT to deliver configuration to the client. In that case, we should probably avoid naming the event representing consumption of that JWT "enrollment" because enrollment today always means registering a client authentication certificate fingerprint with the Ziti Controller, whether the Edge Enrollment CA or an External CA issued that certificate.

This JWT consumption event is an authentic configuration event, not an enrollment per se.

TL;DR We should call it a "claim," or anything other than "enrollment."

[smilindave26]

I'd like to include a flow where the user only needs to know a single URL, similar to what happens with BrowZer. User can be handed that URL out-of-band. When they hit it, the dance with IdP is kicked off. Distributing that info in a JWT is a fine option, but hopefully not required.

[andrewpmartinez]

Also see #2324

[andrewpmartinez]

Closing as a dupe of: #2324