External Provider - URL
New with ZDEW 2.5.2+ and an OpenZiti Controller version 1.2+ is adding an identity to a Windows installation using
externally provided authentication. This process involves mapping an identity provided by an identity provider to
an OpenZiti Identity using the external-id field as well as configuring an ext-jwt-signer.
Prerequisites
- OpenZiti Controller 1.2+
- ZDEW 2.5.2+
- an
external-jwt-provideris properly configured - an identity exists with an
external-idfield set to a value provided from the external provider - the OpenZiti Controller is configured to serve a pre-configured trusted certificate. The certificate must be verifiable by the OS without additional information such as using a widely trusted CA or the Windows administrator has added the certificate chain to the OS trust store
Authenticating with the External Provider
Once the JWT is accepted, a new identity will be added to the ZDEW. Initially, the identity will not be authorized and a new icon will show up indicating the user needs to authorize via the external provider. If a single external provider is configured for this OpenZiti overlay network, clicking the icon will being the Auth Flow with PKCE process. During this time, the ZDEW will be listening on port 20314.
After successfully completing the authentication with the external provider, the browser will redirect to the listening port and complete the authentication flow. The user will be shown a screen that looks similar to this. The first time this screen is shown in a browser session, it will not automatically close. Subsequent authentication events should result in the tab automatically closing.
Assuming everything succeeds, the user will see the normal information shown by an authenticated identity.
