Starting version 2.51 of the Ziti Desktop Edge for Mac (ZDE) and network version 7.5.4, NetFoundry has launched the support for authentication of identities with IDPs via OIDC. This feature allows our customers to simplify the identity enrollment process and authenticate identities via the organization's IDP.
The IDP could be any OIDC compliant IDP such as Okta, Google, Auth0, EntraID, etc. Via the external JWT Signer functionality, authentication policies can be created in the network allowing IDPs to be the external JWT signers. Identites can be configured to authenticate via the authentication policy created for the IDP. Note that the identities are created with the default authentication policy unless a specific auth policy is selected.
In this guide we take you through the steps involved enrolling an identity with Ziti Desktop Edge for Mac (ZDE) using the external provider. This will enable authenticating Mac ZDE with the authentication provider.
The steps involved in setting up OIDC compliant IDP such as EntraID, Okta, Google, etc. as an external authentication provider for a network can be found in the Identities section.
Adding the Identity
If the OIDC Authentication details are not shown under the identities detail page, please contact our support.
You can also construct the 'Controller URL for OIDC Authentication' a by modifying your controller to include '-p' as shown below
https://107ysnr-dy7f-7196-z001-k09abc6688bc-p.production.netfoundry.io
To add an identity to Mac ZDE by URL, first start by clicking on the "+" button in the botttom right of the Mac ZDE screen and select the "With URL" option.
A dialog will appear. Enter a valid "https controller" url to a controller url field and click "Ok".
Then Click Enroll
Click on the authorize icon and you will be redirected to the IDP auth page
- After successfully completing the authentication with the external provider, the browser will redirect to the listening port and complete the authentication flow.
- The user will be shown a screen that looks similar to this. The first time this screen is shown in a browser session, it will not automatically close. Subsequent authentication events should result in the tab automatically closing.
Authenticated Identity
- Finally the user will see the services loaded as shown by an authenticated identity.