Thoughts on Business SSO integration with Azure AD

We’ve started integrating Azure AD SSO with some of the products we work with. Naturally, I’m very curious on how ZeroTier One could be integrated with Azure AD. Assuming the Azure AD account is MFA enforced, this may help ZeroTier One meet MFA remote access requirements being leveraged by insurance companies. I wanted to start a discussion on how this could be done, as the current SSO configuration guidance from ZeroTier is quite sparse (probably because it’s so new).

Idea #1: Integrate directly with Azure AD
ZeroTier One ← OIDC → Azure AD

ZeroTier One supports OIDC for SSO. Azure AD seems to work better with SAML, not OIDC. The Microsoft documentation on OIDC isn’t great. The preferred method is to add the pre-registered vendor app from the Azure AD Gallery. ZeroTier hasn’t registered a SSO app in the Gallery yet, and I wouldn’t hold my breath for this. The other option is to register the app yourself. This is probably the best way to go, but I’m not experienced enough with OIDC to understand what’s happening here.

This guide shows how to setup Azure AD as an OIDC identity provider on Keycloak. It seems you need to create a certificate in Azure AD (that expires after 1-3 yrs), and then load that cert into Keycloak. Because of the certificate, I’m not sure if these instructions can be adapted to the ZeroTier One client.

Idea #2: Use Keycloak as a middleman between ZeroTier One and Azure AD
ZeroTier One ← OIDC → Keycloak ← SAML → Azure AD

Using Azure AD as a SAML identity provider doesn’t require a certificate to be setup, as seen in this guide on how to setup Azure AD as a SAML identity provider on Keycloak. That’s great for sustainability, since we don’t have to worry about rotating/renewing the cert. Since ZeroTier One doesn’t support SAML, we would need to use an intermediary like Keycloak. The second half of this guide shows how to configure an OIDC compatible app (HCL Compass) to use Keycloak for SSO. I feel like this has a higher chance of success, than doing SSO to Azure AD directly. The downside is that you need to standup, host and maintain a high-availability Keycloak server.

1 Like

#1 is probably the way to go where you register the app yourself, and set the callback URL to http://localhost:9993/sso. That’s to pass the code & token to ZeroTier itself so it can do its magic & auth you on the network. Also ensure that it supports PKCE.

From there, all you need to enter on the Central Account page is the Client ID & Issuer UR and you should be good to go.

Keycloak does work as a SAML middleman as well. We use that internally to connect our Google Workspace accounts (because Google Workspace’s SPA config doesn’t support PKCE yet :man_facepalming: )

Thanks for the feedback @zt-grant! We still need to get our billing updated to the new model, so I can’t test this out just yet. But looking forward to playing with this in the near future.