[Freeipa-users] Re: External IDP Configuration with OIDC - Zitadel

Thu, 14 Dec 2023 06:36:10 -0800 

On Чцв, 14 сне 2023, Alexander Bokovoy via FreeIPA-users wrote:

On Чцв, 14 сне 2023, Russ Long via FreeIPA-users wrote:

I'm working on trying to setup an external IDP using Zitadel, a newer open 
source IDP.

I honestly don't know enough about OIDC to figure out why this isn't working 
properly, so I'm hoping someone with some OIDC knowledge might be able to help 
me out.

IDP config in freeipa:
rlong@master:~$ ipa idp-show Zitadel
Identity Provider reference name: Zitadel
Authorization URI: https://DOMAIN.COM/oauth/v2/authorize
Device authorization URI: https://DOMAIN.COM/oauth/v2/device_authorization
Token URI: https://DOMAIN.COM/oauth/v2/token
User info URI: https://DOMAIN.COM/oidc/v1/userinfo
Client identifier: CLIENT_ID
Scope: name email profile
External IdP user identifier attribute: name

Testing user is setup for External IDP authentication, using the Username from 
Zitadel.

I might be missing where to look for errors, but I can't even find any
errors when I attempt to ssh to a host using the testing user.


Chapter 12 of the FreeIPA workshop covers troubleshooting as well:
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html

I assume you did associate the Zitadel IdP with a specific user account
and allowed that user to use 'idp' authentication type:
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html#associate-idp-reference-with-ipa-user

The rest please see in the troubleshooting section.


Another (obvious, right?) thing to check is that your IPA client (ssh
server) system actually has support for idp pre-authentication method.
This means it has SSSD that provides this krb5 pre-authentication
method: https://sssd.io/release-notes/sssd-2.7.0.html or later.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to