Authentication with external CA and ext-jwt-signer (original) (raw)

to be able to enroll multiple devices (let’s say a Mac and a PC) for a single user.

If you mean “single user’ to mean “single identity”: identities in OpenZiti are rooted in a history of being one application. That application can run host wide (e.g. a tunneler intercepting traffic) or a workload (like an application or intermittently running process). They are not currently designed to be used in the way you are describing. As @TheLumberjack said, we have talked about adding a grouping above identities to support this, but there has not be much desire expressed. As a small fact, identities were originally named devices in the very early days of OpenZiti but were renamed after they didn’t match 1:1 with actual host devices.

however, since the externalId is unique, I’m unable to associate two Ziti identities (two devices) with a single IdP account (my user)

This is due to the lack of the layer above identities for grouping. externalIds map back to a single identity due to the original use case of primary authentication. In the context of secondary authentication with multiple identities, the unique constraint on externalId blocks your use case.

I can’t simply remove the constraint, as it breaks primary authentication. I could add a secondaryExternalId that is only used during secondary auth checks that is not unique. I haven’t thought deeply enough to just do this however. It does add yet another field with yet another configuration setup. It would also potentially break existing implementations if the logic hard swapped. The logical end game is then adding a toggle of which external id to use (externalId vs secondaryExternalId and default unconfigured setups to externalId). However this adds yet another layer of complexity. I would like to spend some time thinking about this as adding a grouping above identities could do the same thing.

primary external JWT on auth policy is disabled

This error message appears in two places in the controller.

The first is when the primary authentication method is ext-jwt and the identity's auth policy doesn’t allow it. This most likely happens in with configurations that do ext-jwt as primary authentication instead of cert with a secondary factor of ext-jwt. I’d verify that whatever is attempting to authenticate is configured correctly or provide details here so we can provide assistance. This would occur during authentication.

The second is when defining an external JWT signer with enrollToToken enabled. I doubt this is your use case, but I included it for completeness. The error would occur when creating a external JWT signer.

So Where Does That Leave Us?

Sadly, I don’t have a great way to thread the needle with the current functionality in OpenZiti for exactly what you wish. However, your use case has brough up some things to improve OpenZiti’s human+device capabilities.

As of now the easiest thing you could do is not use device based certificates and solely rely on your IdP. However, I feel like is not sufficient for your use case as you stated that you want to restrict based on device. It would not not be easy to transition out of, say to certs as primary auth and your IdP as secondary.

Another option is to use 3rd Party CAs w/ custom x509 certificate claims and not use your IdP as a secondary factor. This would require you to run your own PKI and issue certificates to your devices. However what you can do is embed externalIds in various fields (common name, SANs, etc.) and dynamically match certificates to identities. This would allow multiple applications/devices to map to a single identity. However you would not have your IdP providing enforcement as well unless OpenZiti is improved. You would however, be able to add that later w/o issue if the capabilities are added.