We’ve started integrating Azure AD SSO with some of the products we work with. Naturally, I’m very curious on how ZeroTier One could be integrated with Azure AD. Assuming the Azure AD account is MFA enforced, this may help ZeroTier One meet MFA remote access requirements being leveraged by insurance companies. I wanted to start a discussion on how this could be done, as the current SSO configuration guidance from ZeroTier is quite sparse (probably because it’s so new).
Idea #1: Integrate directly with Azure AD
ZeroTier One ← OIDC → Azure AD
ZeroTier One supports OIDC for SSO. Azure AD seems to work better with SAML, not OIDC. The Microsoft documentation on OIDC isn’t great. The preferred method is to add the pre-registered vendor app from the Azure AD Gallery. ZeroTier hasn’t registered a SSO app in the Gallery yet, and I wouldn’t hold my breath for this. The other option is to register the app yourself. This is probably the best way to go, but I’m not experienced enough with OIDC to understand what’s happening here.
This guide shows how to setup Azure AD as an OIDC identity provider on Keycloak. It seems you need to create a certificate in Azure AD (that expires after 1-3 yrs), and then load that cert into Keycloak. Because of the certificate, I’m not sure if these instructions can be adapted to the ZeroTier One client.
Idea #2: Use Keycloak as a middleman between ZeroTier One and Azure AD
ZeroTier One ← OIDC → Keycloak ← SAML → Azure AD
Using Azure AD as a SAML identity provider doesn’t require a certificate to be setup, as seen in this guide on how to setup Azure AD as a SAML identity provider on Keycloak. That’s great for sustainability, since we don’t have to worry about rotating/renewing the cert. Since ZeroTier One doesn’t support SAML, we would need to use an intermediary like Keycloak. The second half of this guide shows how to configure an OIDC compatible app (HCL Compass) to use Keycloak for SSO. I feel like this has a higher chance of success, than doing SSO to Azure AD directly. The downside is that you need to standup, host and maintain a high-availability Keycloak server.