IDP Authorization for Ziti Desktop Edge for Windows (ZDEW) - Google Workspace Example

Follow

Starting version 2.5.2 of the Ziti Desktop Edge for Windows (ZDEW) and Network version of 7.5.4, NetFoundry has launched the support for authentication of identities with IDPs via OIDC. This feature allows our customers to simplify the identity enrollment process and authenticate identities via the organization's IDP.

The IDP could be any OIDC compliant IDP such as Okta, Google, Auth0, EntraID, etc.  Via the external JWT Signer functionality, authentication policies can be created in the network allowing IDPs to be the external JWT signers. Identites can be configured to authenticate via the authentication policy created for the IDP. Note that the identities are created with the default authentication policy unless a specific auth policy is selected.

In this guide we take you through the steps involved in setting up Google Workspace as an external authentication provider for a network and authenticating ZDEW with the authentication provider.

Prerequisites

• A NetFoundry Cloud Network that is up and running.
• An administrator account with Google Workspace
• Ziti Desktop Edge for Windows installed on a user device

1. Setting Up Google Workspace as IDP

A. Create a Client/Credential

Google Auth Platform and Google Cloud APIs & Services both allows you to generate credentials or clients. Although the terminology changes, both are the same at the end. If you create a credential in the APIs & Services screen, it will appear in the Google Auth Platform as a client.

For our lab, we have used, the Google Cloud APIs & Services console

1. From the APIs & Services console, click on Credentials, Create Credentials and choose OAuth client ID:

2. When creating a credential/client there are different types available to select. To enable authentication for ZDEW you will need to select Universal Windows Platform (UWP).

3. Fill the 'Create Oauth client ID' form as show below and hit 'Create'

4. This will create Oauth credential. Gather the 'Client ID' details which will be used to configure the JWT signer.

2. Setting up Authentication in NetFoundry Console

A. Create External JWT Signer

• You can access & manage the JWT Signers in the console by clicking the 'Authentication' icon on the left-hand side navigation menu.

• To add a JWT Signer, click on the  symbol at the top right of the page

• In order to setup the JWT Signer, we'll use below values
  • Issuer - The issuer for all Google tokens is constant: https://accounts.google.com
  • Client ID - Gathered in Step 1-A-4 of this document. Also can be found on the client/credentials screen in the Google console.
  • Audience - Same as Client ID
  • Scopes - 'openid', 'profile', 'email'
  • JWKS Endpoint - https://www.googleapis.com/oauth2/v3/certs
  • Map the JWT claim 'email' in the token that should be used to map against the unique 'External Id' on Identities.
  • External Auth URL - Same as 'issuer' https://accounts.google.com
  • Set 'targetToken' as ID instead of Access.

B. Create the Authentication Policy

Authentication occurs when a client wishes to interact with the Controller. Read more about Authentication Policies & Ziti Authentication

• You can access & manage the Authentication Policies in the console by clicking the 'Authentication' icon on the left-hand side navigation menu:

• Click on the "Authentication Policies" tab on the top navigation menu

D. Create or Assign Identities(Endpoints) to the Authentication Policy

• In the Console, Create or update the Identities(Endpoints) by choosing the 'AUTHORIZATION POLICY' to match the policy created in step 2-B.
• Enter user email address associated with the Google account.
• We have pre-added the identity attributes, which are configured in AppNet, to provide access to services for this Identity.

3. Enrolling the Identity

An identity can be added to ZDEW using the external provider in two different ways.

• External JWT Provider - JWT - Add an identity using the configured provider and network JWT
• External JWT Provider - URL - Add an identity using the configured provider and URL

A. Adding the Identity with JWT

The network's JWT can be downloaded from the console from the dashboard page by clicking on the Network JWT section.

Click on the "ADD IDENTITY" button in the top right of the screen.

• After the context menu pops up choose "With JWT".

• In the file dialog, select the network JWT file obtained from the console

B. Adding the Identity with URL

• To add an identity to Windows ZDE by URL, first start by clicking on the "ADD IDENTITY" button in the top right of the screen. After the context menu pops up, select the "With URL" option.

• For the URL information, you will get it under Identity details in the MOP console. If the OIDC Authentication details are not shown under the identities detail page, please contact our support.
  
  

• A dialog will appear. Enter a valid "https controller" url to a controller url field and click "Join network". 

  

• The identity is added for your network, leveraging an external provider.
• Initially, the identity will not be authorized, and 'authorize IdP' will show up, indicating the user needs to authorize via the external provider.
• Click the 'authorize IdP' icon. 

C. Enroll Idendity with Google Workspace

• Select the Google-JWT as OIDC provider and mark it as default.
• Click 'Authenticate With Provider'

D. Authenticate with Google Workspace

• This will begin the Auth Flow with PKCE process. During this time, the ZDEW will be listening on port 20314.
• You will be directed to authenticate with Google Workspace.

• After successfully completing the authentication with the external provider, which is Google in our case, the browser will redirect to the listening port and complete the authentication flow.

• The user will see the services loaded as shown by an authenticated identity.