Create and Manage Identities


This guide goes over the specifics of creating and managing Identities in the web console. Creating an Identity is the first step in getting your Service Policy [APPNET] created. 

An Identity may be created in an existing Network. You may go back to Create and Manage Your Networks if you still need a network.

Your Choice: Identities for any device / any APP

NetFoundry offers software packages for devices with various operating systems - See them here - 

If you are a developer you can download our SDKs and follow examples at on embedding our SDK code to your apps. Ziti is an open-source secure networking framework that is maintained by NetFoundry.

Connecting your app directly to your network as an identity (via SDKs) has significant advantages.

  • Create a truly zero-trust connection - Zero Trust Application Access right from the app.
  • Host an invisible server in your custom app that's instantly accessible only to authorized identities
  • Deploy clients and servers anywhere without any dependence upon network infrastructure and configuration beyond a commodity internet circuit.
Create an Identity

To get started with creating your Identity, navigate to Identities section. From there, click the blue plus sign in the upper right-hand corner to create a new Identity.

On the 'Create a New Identity' screen, you'll see fields for a name and attributes, along with a registration key to download. A unique name is needed to create an Identity. Next, either select from your list of already created attributes, or create a new one. If you have identity attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute. 

Identity Name:  Assign the identity a name

Identity Attribute: Select and existing Attribute or create a new one

Authorization Policy:

  • Select the Policy, if none is selected the default policy will be applied.
  • Optionally add an external ID to coordinate with the Authentication Policy or JWT Signer requirements.

Once you've filled in all fields, click 'create' and you'll be brought to a new screen like this. 


This key will be needed to add your identity to the identity. based on the type of identity you are using, follow the instructions on the installation guides to add the identity and register your identity to the network.

Once registered, your identity will show in "green" on the console. When the identity is offline, it would show in "red". For an unregistered identity the registration status will show as unregistered in the console. Note that the registration token is valid for a period of 48 hours from the time of identity creation. 

You can also create identities with our "network as a code " feature via JSON or YAML. Learn more here.

For you identity to be able to dial to the fabric , your Edge Router must be provisioned. With your identity created you may wish to go ahead to Create and Manage Edge Routers.

Manage Your Identities

To manage your existing Identity, navigate to Identities section. You can click on an Identity row to edit it or use the context menu at the end of each row to take actions on the individual Identity. Use the select bubbles in the first column of the table to select multiple identities for bulk delete.

Edit - you can edit the identity name or attributes

Re-issue token- If the identity is not registered within 48 hrs of token issue and the token has expired, you can always reissue the key from the console.

Share - You can share the registration key via an e-mail to the user or someone you intend to register the identity

Visualize - You can visualize how your identity has a path via the fabric to a service and if the path is broken or not.



Firewall Requirements

Here's a direct link to the main article about firewall requirements.

Identities must be able to reach the predictable Network controller IP and at least one (typically) unpredictable Edge Router IP on a predictable TCP port: 443. Predictable IPs are listed in the NetFoundry web console when you click on "Firewall requirements" for a particular Network when viewing "Manage Networks". Your Identities must be able to dial outbound to the internet on 443/tcp. 

  • An Identity will dial outbound to the Network's dedicated Controller on 443/tcp. This destination IP is predictable.
  • An Identity will dial outbound to the Network's Edge Routers that are configured for that Identity through Edge Router Policies on 443/tcp. These IPs are not typically predictable.

It is possible but not typically necessary for security nor expedient to write a firewall ruleset that severely limits outgoing traffic only to expected destination IPs i.e. "outgoing IP whitelist". If you find yourself looking for a way to ensure that outboud traffic is flowing only to predictable destinations then please inquire about customer-hosted Edge Routers which would be VMs you run inside your security perimeter and for which outbound access is granted. In that scenario, Identities are configured to connect only to your authorized points of egress.




Was this article helpful?
1 out of 2 found this helpful



Article is closed for comments.