Generic IdP
Required Fields
The following fields are necessary in order to configure an external JWT signer with OpenZiti. This configuration will enable authentication via JWTs obtained through an Authorization Code Flow with PKCE or PKCE flow. OpenID Connect providers will provide a discovery endpoint that is useful for discovering the Issuer and the JWKS Endpoint needed to complete the external jwt signer setup.
| Field | Description | Example |
|---|---|---|
| Issuer | The issuer field is a unique HTTPS URL that identifies the OpenID Provider. It must match the iss claim provided in the JWT | https://my.identity.provider:2345 |
| Client ID | The unique value provided by the OIDC provider used to identify the application within the provider to use | openziti_client_id |
| Audience | The audience, specified as the aud field in the JWT, used to verify the JWT is intended for the OpenZiti Controller | openziti_client_id |
| External Auth URL | For OIDC, this is the same value as the issuer and should be the base url of the OIDC discovery endpoint (.well-known/openid-configuration) | https://my.identity.provider:2345 |
| JWKS Endpoint | A url the OpenZiti Controller can use to retrieve a JSON Web Key Set, used to verify JWTs | https://my.identity.provider:2345/.well-known/openid-configuration |
| Claims Property | The property within the JWT returned from the OIDC provider that will map to the external ID field of an identity | |
| Scopes | The set of scopes to request when generating the authentication request to the OIDC provider | profile offline_access |
Callback URLs
The Authorization Code Flow with PKCE or PKCE flow requires configuring callback URLs the Identity Provider (IdP) will allow redirecting to. If the URL for a specific client is not specifically listed, the IdP will deny the authentication request. Depending on the technology used to authenticate to the OpenZiti Network, different URLs need to be specified. More than one URL is allowed to be configured. Decide if you are configuring the IdP for use with tunnelers, with BrowZer or with both and add the appropriate callback urls.
In the Auth0 dashboard, with the application selected, choose the "Settings" tab and scroll down to the "Application URIs" section and add the URLs.
For Tunnelers
Tunnelers require an allowed callback URL of: http://localhost:20314/auth/callback.
For BrowZer
The URL to configure for BrowZer will vary depending on the BrowZer configuration. BrowZer requires a wildcard certificate in order to be deployed and all services are delivered from this wildcard domain. You will need to add the configured wildcard domain as the callback url.
For Ziti Admin Console (ZAC)
The URL to configure an IdP for so that ZAC will be able to authenticate will depend on how you deploy your ZAC. The current method recommended to deploy ZAC will deploy it on the same URL as the controller. For example: https://controller.example.com/zac/callback