NetFoundry OpenZiti BrowZer Pilots: Setup Instructions for Customers

Introduction

This page details various tasks that must be performed by a customer who will be participating in a BrowZer pilot, as well as certain data values the customer must provide to NetFoundry personnel who will be orchestrating the deployment and provisioning of browZer-enabled networks on behalf of the customer.

There are two main items that a customer must bring to the pilot:

  1. A CloudZiti network
  2. An Auth0 IdP account

Details surrounding these items are described below.

Step 1: Create a ClouidZiti Teams network

NetFoundry recommends that BrowZer pilots be carried out using the customer's CloudZiti Teams network.

If the customer already has an existing CloudZiti Teams network, that's great!  We will use the existing CloudZiti Teams network.

NOTE:

BrowZer pilots require your network to be running at Ziti level v0.26.9 or newer. 

If your Teams network is not at that level, we will need to upgrade it for you.

 

If the customer does not yet have a CloudZiti Teams network, the customer can click the image below, and be brought to the CloudZiti Teams "Get Started" page, to create their free network:

 

mceclip0.png

 

Step 2: Tell Us the Name of Your ClouidZiti Teams Network

Once the customer has created their CloudZiti Teams network, they should tell NetFoundry what the name of the network is.  They should communicate this information to their private Team over on the mattermost.openziti.io site in a msg to @curt.

 

Step 3: Create an Auth0 (IdP) account

The BrowZer architecture requires the use of an Identity Provider (IdP) capable of facilitating SSO.

NetFoundry currently recommends that BrowZer pilots be carried out using the customer's Auth0 account as the IdP.

If the customer already has an existing Auth0 account, that's great!  We will use the existing Auth0 account.

However, if the customer does not yet have an Auth0 account, the customer can click the image below, and be brought to the Auth0 "Get Started" page, to create their free IdP account:

 

mceclip1.png

 

Step 4: Create an Auth0 'Application'

The customer should log in to their Auth0 account, and go to the "Applications" page:

mceclip2.png

 

Then click "Create Application":

mceclip3.png

 

Then create a new "Regular Web Application":

mceclip4.png

The name of the Application can be whatever the customer wants, but it will represent the BrowZer Gateway we will deploy for the customer, so its name should reflect that.

mceclip5.png

Step 5: Create an Auth0 'API'

The customer should log in to their Auth0 account, and go to the "APIs" page:
mceclip6.png
Then click "Create API":
mceclip7.png
Give the API a Name like browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io and an Identifier like https://browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io

Step 6: Configure the Auth0 'Application' SSO callback

The customer should log in to their Auth0 account, and go to the "Applications" page, and select the Application they created in Step 4.
Then scroll down to Application URIs, and set the Allowed Callback URLs to: https://browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io/callback, where <YOUR-TEAMS-NETWORK-NAME> is the name of the CloudZiti Teams network from Step 1.

Step 7: Gather/Provide Auth0 'Application' variables

Domain and ClientID

In the Auth0 Application/Settings for the Application from Step 6, the customer should copy the Domain value, and the Client ID value:

mceclip8.png

 

...then communicate (paste) this information into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt.

 

KID

We will also need the kid for the customer's Auth0 tenant.

the kid can be found like this:

mceclip0.png

...then communicate (paste) this information into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt.

 

Certificate

We will also need the certificate for the customer's Auth0 tenant.

the certificate can be found like this:

mceclip1.png

...then scroll down and click/open Advanced Settings:

mceclip2.png

...then select Certificates, then copy the signing cert:

mceclip3.png

...then communicate (paste) this information into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt.

 

BrowZer Gateway URL

Once the above pieces of information are provided by the customer, NetFoundry will then complete the deployment/provisioning of a BrowZer Gateway instance to support the customer's pilot.

 

The BrowZer Gateway will reside at a DNS name of:

browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io

NOTE:

This will be the URL users of your protected web app will point their browsers at,

so you will need to socialize this URL with them.

 

Once the BrowZer Gateway is running, when anyone visits the URL:

https://browzer.<YOUR-TEAMS-NETWORK-NAME>.nfconsole.io 

...in a browser, the SSO login dialog should render like the example below:

mceclip9.png

 

Step 8: Create/Provide Ziti Service for Protected Web App

The customer should deploy the web app to be used in the BrowZer pilot into their private VPC, and ensure it has a Ziti Service associated with it.

The following information should be communicated (pasted) into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt

  • Service name
  • The port number (in the VPC) that the web app listens on (where Ziti will terminate to)
  • Confirmation that the web app listens on HTTP, not HTTPS. (browZer support to facilitate TLS-over-mTLS is nearing completion, but is not ready yet, pilots must currently have the web app listen internally on HTTP)

Once this Service name information is provided, NetFoundry will then add it to the configuration of the BrowZer Gateway instance.

 

Step 9: Complete the Provisioning of the Ziti Network

The customer should gather the GMail addresses of the users that require access to the protected web app over browZer.

These email addresses should be communicated (pasted) into the customer's private Team over on the mattermost.openziti.io site, in a msg to @curt

Once this information is provided, NetFoundry will then add it to the Ziti network configuration.

 

Enjoy Using BrowZer

Once all of the above steps have been completed, NetFoundry will notify the customer via a msg over on the mattermost.openziti.io site, and the customer can instruct their users to begin.

NOTE:

Users must use a Chromium-based browser (i.e. Chrome, Brave, or Edge).

 

Ensure users understand that they will be required to do an SSO authentication using their GMail credentials in order to gain access to the Ziti network:

mceclip10.png

 

Once a successful SSO authentication is completed, the customer's protected web app should then load into the user's browser.

If the web app has its own authentication, users should proceed with the credentials they have that are specific to that web app.

 

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.