I'm working on trying to setup an external IDP using Zitadel, a newer open source IDP.
I honestly don't know enough about OIDC to figure out why this isn't working properly, so I'm hoping someone with some OIDC knowledge might be able to help me out.
IDP config in freeipa: rlong@master:~$ ipa idp-show Zitadel Identity Provider reference name: Zitadel Authorization URI: https://DOMAIN.COM/oauth/v2/authorize Device authorization URI: https://DOMAIN.COM/oauth/v2/device_authorization Token URI: https://DOMAIN.COM/oauth/v2/token User info URI: https://DOMAIN.COM/oidc/v1/userinfo Client identifier: CLIENT_ID Scope: name email profile External IdP user identifier attribute: name
Testing user is setup for External IDP authentication, using the Username from Zitadel.
I might be missing where to look for errors, but I can't even find any errors when I attempt to ssh to a host using the testing user.
Thanks, Russ
On Чцв, 14 сне 2023, Russ Long via FreeIPA-users wrote:
I'm working on trying to setup an external IDP using Zitadel, a newer open source IDP.
I honestly don't know enough about OIDC to figure out why this isn't working properly, so I'm hoping someone with some OIDC knowledge might be able to help me out.
IDP config in freeipa: rlong@master:~$ ipa idp-show Zitadel Identity Provider reference name: Zitadel Authorization URI: https://DOMAIN.COM/oauth/v2/authorize Device authorization URI: https://DOMAIN.COM/oauth/v2/device_authorization Token URI: https://DOMAIN.COM/oauth/v2/token User info URI: https://DOMAIN.COM/oidc/v1/userinfo Client identifier: CLIENT_ID Scope: name email profile External IdP user identifier attribute: name
Testing user is setup for External IDP authentication, using the Username from Zitadel.
I might be missing where to look for errors, but I can't even find any errors when I attempt to ssh to a host using the testing user.
Chapter 12 of the FreeIPA workshop covers troubleshooting as well: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.ht...
I assume you did associate the Zitadel IdP with a specific user account and allowed that user to use 'idp' authentication type: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.ht...
The rest please see in the troubleshooting section.
On Чцв, 14 сне 2023, Alexander Bokovoy via FreeIPA-users wrote:
On Чцв, 14 сне 2023, Russ Long via FreeIPA-users wrote:
I'm working on trying to setup an external IDP using Zitadel, a newer open source IDP.
I honestly don't know enough about OIDC to figure out why this isn't working properly, so I'm hoping someone with some OIDC knowledge might be able to help me out.
IDP config in freeipa: rlong@master:~$ ipa idp-show Zitadel Identity Provider reference name: Zitadel Authorization URI: https://DOMAIN.COM/oauth/v2/authorize Device authorization URI: https://DOMAIN.COM/oauth/v2/device_authorization Token URI: https://DOMAIN.COM/oauth/v2/token User info URI: https://DOMAIN.COM/oidc/v1/userinfo Client identifier: CLIENT_ID Scope: name email profile External IdP user identifier attribute: name
Testing user is setup for External IDP authentication, using the Username from Zitadel.
I might be missing where to look for errors, but I can't even find any errors when I attempt to ssh to a host using the testing user.
Chapter 12 of the FreeIPA workshop covers troubleshooting as well: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.ht...
I assume you did associate the Zitadel IdP with a specific user account and allowed that user to use 'idp' authentication type: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.ht...
The rest please see in the troubleshooting section.
Another (obvious, right?) thing to check is that your IPA client (ssh server) system actually has support for idp pre-authentication method. This means it has SSSD that provides this krb5 pre-authentication method: https://sssd.io/release-notes/sssd-2.7.0.html or later.
Thanks Alexander.
I did associate the IDP with the user account, and allowed that user to use the idp auth type.
That troubleshooting section helped, I was able to find this response after increasing the oidc debug level:
{"error":"unauthorized_client","error_description":"client missing grant type authorization_code"}
I'm unsure if this is something I need to change on the IPA or zitadel side.
The clients do support the krb5-preauth, they are all Fedora 39, fully updated.
On Чцв, 14 сне 2023, Russ Long via FreeIPA-users wrote:
Thanks Alexander.
I did associate the IDP with the user account, and allowed that user to use the idp auth type.
That troubleshooting section helped, I was able to find this response after increasing the oidc debug level:
{"error":"unauthorized_client","error_description":"client missing grant type authorization_code"}
I'm unsure if this is something I need to change on the IPA or zitadel side.
On Zitadel side. See https://zitadel.com/docs/guides/solution-scenarios/device-authorization for an example of configuring the OIDC client on Zitadel side. Note that you should add grant for 'Device Code'.
AHA! That did it. Changing to "Device Code" was what I needed.
I will get a FreeIPA docs PR together with an example of this setup if you think that would be useful for others.
Thank you so much!
--Russ
On Чцв, 14 сне 2023, Russ Long via FreeIPA-users wrote:
AHA! That did it. Changing to "Device Code" was what I needed.
I will get a FreeIPA docs PR together with an example of this setup if you think that would be useful for others.
We don't really have IdP-specific documents. The workshop session uses Keycloak to simplify demo setup. What you can do is to submit a pull request to FreeIPA website: https://github.com/freeipa/freeipa.github.io/tree/main/src/page, into one of howto chapters.
freeipa-users@lists.fedorahosted.org