IDP Authorization for Ziti Desktop Edge for Windows (ZDEW) - Okta Example

Follow

Starting version 2.5.2 of the Ziti Desktop Edge for Windows (ZDEW) and 1.2.0 of the Ziti Controller, NetFoundry has launched the support for authentication of identities with IDPs via OIDC. This feature allows our customers to simplify the identity enrollment process and authenticate identities via the organization's IDP.

The IDP could be any OIDC compliant IDP such as Okta, Google, Auth0, EntraID, etc.  Via the external JWT Signer functionality, authentication policies can be created in the network allowing IDPs to be the external JWT signers. Identites can be configured to authenticate via the authentication policy created for the IDP. Note that the identities are created with the default authentication policy unless a specific auth policy is selected.

In this guide we take you through the steps involved in setting up OKTA as an external authentication provider for a network and authenticating ZDEW with the authentication provider.

Prerequisites

• A NetFoundry Cloud Network that is up and running.
• An administrator account with Okta
• Ziti Desktop Edge for Windows installed on a user device

1. Setting Up Okta as IDP

A. Create an Okta OIDC Application

• Sign in to your Okta admin portal.

• Navigate to Applications > Applications > Create App Integration.

• Choose:

  • Sign-in method: OIDC - OpenID Connect

  • Application type: Single-Page Application

  • Click Next

• Configure the following:

  • App name: CSLAB (Your choice of a name)

  • Sign-in redirect URIs - Tunnelers require an allowed callback URL of

http://localhost:20314/auth/callback

• • Assign to appropriate groups or users and click 'Save'

B. Add an Authorization Server

• Navigate to Security > API > Authorization Servers

• Click Add Authorization Server

• • In the popup, enter values for the Name, Audience and Description. Any values are acceptable. Whatever Audience used will be the value that needs to be assigned to the external JWT signer.

  • Click Save.

C. Add an Authorization Server Policy Rule

• In the same Authorization Server you created, go to the Access Policies tab.

• Click to Add New Access Policy

• Add a Name and Description and select the clients to assign the policy to and click Create Policy.

• Within the policy, click Add Rule

 

• Add a Rule Name, decide which Grants to allow, which Users are assigned and which Scopes will activate the rule and then click Create Rule at the bottom of the form.

D. Adding an Email Claim to the Access Token

User's email address has to be used as a claim in the access token. This can be accomplished by creating a Claim on the Authorization Server.

• In the same Authorization Server you created, go to the Claims Policies tab.

• Select Access tab and Click Add Cliam

To finalize the claim fill out the fields shown and click Create when done:

• Name - "email"
• Value - use the expression/value of "user.email" as the Value to get the user's email
• Include in - "openid", "profile", "email" 

2. Setting up Authentication in NetFoundry Console

A. Gather IdP Information

• The openid-configuration endpoint URL for Okta can be obtained by appending '.well-known/openid-configuration' to the "Issuer URI" obtaied as shown in below image from the Okta admin portal. The 'authorization server's ID' is already part of "Issuer URI"

https://dev-<>.okta.com/oauth2/<authorization server's ID>/.well-known/openid-configuration

• When you enter the openid-configuration endpoint URL into a browser, you will receive a response resembling the following:  
  • Make a note of the issuer value.
  • Make note of the jwks_uri value returned from the above openid-configuration endpoint URL.

B. Create External JWT Signer

• You can access & manage the JWT Signers in the console by clicking the 'Authentication' icon on the left-hand side navigation menu.

• To add a JWT Signer, click on the  symbol at the top right of the page

• In order to setup the JWT Signer, we'll use below values gathered from the openid-configuration endpoint URL

  • Issuer - 'issuer' value returned from the openid-configuration endpoint URL
  • Audience - Can be found in the Okta admin portal: Security->API, from the list of Authorization Servers in the "Audience column"
  • Client ID - 'Client ID' can be found in the Okta admin portal: Applications->Applications, from the list of Applications
  • Scopes - 'openid', 'profile', 'email'
  • JWKS Endpoint - 'jwks_uri' value returned from the openid-configuration endpoint URL
  • JMap the JWT claim 'email' in the token that should be used to map against the unique 'External Id' on Identities.
  • External Auth URL - Same as 'issuer'

C. Create the Authentication Policy

Authentication occurs when a client wishes to interact with the Controller. Read more about Authentication Policies & Ziti Authentication

• You can access & manage the Authentication Policies in the console by clicking the 'Authentication' icon on the left-hand side navigation menu:

• Click on the "Authentication Policies" tab on the top navigation menu

D. Create or Assign Identities(Endpoints) to the Authentication Policy

• In the Console, Create or update the Identities(Endpoints) by choosing the 'AUTHORIZATION POLICY' to match the policy created in step 2-C.
• Enter user email address associated with the Okta account.
• We have pre-added the identity attributes, which are configured in AppNet, to provide access to services for this Identity.

3. Enrolling the Identity

An identity can be added to ZDEW using the external provider in two different ways.

• External JWT Provider - JWT - Add an identity using the configured provider and network JWT
• External JWT Provider - URL - Add an identity using the configured provider and URL

A. Adding the Identity with JWT

The network's JWT can be downloaded from the console from the dashboard page by clicking on the Network JWT section.

Click on the "ADD IDENTITY" button in the top right of the screen.

• After the context menu pops up choose "With JWT".

• In the file dialog, select the network JWT file obtained from the console

B. Adding the Identity with URL

You can get the controller URL from the "firewall info" under "Networks" section in the NetFoundry Console.

To add an identity to Windows ZDE by URL, first start by clicking on the "ADD IDENTITY" button in the top right of the screen. After the context menu pops up, select the "With URL" option.

• Note that a "-p" needs to be added to the controller URL before .production.netfoundry.io/ as in https://-----8fa-6ed4-4ca9-------------696c3-p.production.netfoundry.io/. Copy the controller URL with a "-p" in the firewall info section amongst the two controller URLs.

• A dialog will appear. Enter a valid "https controller" url to a controller url field and click "Join network". 

• The identity is added for your network leveraging an external provider.
• Initially, the identity will not be authorized and 'authorize IdP' will show up indicating the user needs to authorize via the external provider.
• Click the blue arrow in the 'authorize IdP' icon. 

C. Enroll Identidy with Okta

• Select the OKTAJWT as OIDC provider and mark it as default.
• Click 'Authenticate With Provider'

D. Authenticate with Okta

• This will begin the Auth Flow with PKCE process. During this time, the ZDEW will be listening on port 20314.
• You will be directed to authenticate with Okta.

 

• After successfully completing the authentication with the external provider, which is Okta in our case, the browser will redirect to the listening port and complete the authentication flow.
• The user will be shown a screen that looks similar to this and it will automatically close.
• The user will see the services loaded as shown by an authenticated identity.