By JWT
New with ZDEW 2.5.2+ and an OpenZiti Controller version 1.2+ is adding an identity to a Windows installation using
externally provided authentication. This process involves mapping an identity provided by an identity provider to
an OpenZiti Identity using the external-id field as well as configuring an ext-jwt-signer.
Prerequisites
- OpenZiti Controller 1.2+
- ZDEW 2.5.2+
- an
external-jwt-provideris properly configured - an identity exists with an
external-idfield set to a value provided from the external provider - the OpenZiti network operator has sent the Windows machine the network jwt file
Obtaining the Network JWT
Adding an identity to a Windows machine that uses an external provider as the primary authentication mechanism with a JWT requires the user or an operator to obtain a JWT ahead of time. This can be done in two different ways.
Obtain the Network JWT - ZAC
Obtain a controller's network JWT using the Ziti Admin Console. From the Authentication->JWT Signers page, click on "Download Network JWT" located on the top right, near the "plus" icon and send the JWT to the user trying to add an identity.
Obtain the Network JWT - Shell
Alternatively, a request can be made to the OpenZiti controller's API to return the JWT. Make an HTTP GET to the controller's
/network-jwts endpoint and extract the token field and save this content to a JWT. Using bash, curl and jq this
might look something like:
curl -s https://my.openziti.controller.local:443/network-jwts | jq -r .data[].token > my-network-jwt
Adding the Identity
With the JWT on the Windows machine to be added, click on the "ADD IDENTITY" button in the top right of the screen. After the context menu pops up choose "With JWT". In the file dialog, select the network JWT file and the identity will be added to the system.
Authenticating
Once an identity is added for a network leveraging an external provider. See Authenticating for more details about how to authenticate to the network.