-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need a way to enroll SDK identities with IDP authentication #1352
Comments
Sounds useful, but only for OIDC claims because x509 claims do not presume a particular protocol for submitting a CSR, so it's treated as an out-of-band concern. Both OIDC ("external JWT signer") and x509 claims use the Identity property Suppose we implement a stable (not secret, reusable) JWT to deliver configuration to the client. In that case, we should probably avoid naming the event representing consumption of that JWT "enrollment" because enrollment today always means registering a client authentication certificate fingerprint with the Ziti Controller, whether the Edge Enrollment CA or an External CA issued that certificate. This JWT consumption event is an authentic configuration event, not an enrollment per se. TL;DR We should call it a "claim," or anything other than "enrollment." |
I'd like to include a flow where the user only needs to know a single URL, similar to what happens with BrowZer. User can be handed that URL out-of-band. When they hit it, the dance with IdP is kicked off. Distributing that info in a JWT is a fine option, but hopefully not required. |
Also see #2324 |
Closing as a dupe of: #2324 |
Possibly have a stable JWT for each JWT signer with all needed information -- controller address, IDP URL, etc
The text was updated successfully, but these errors were encountered: