Zitadel role in Pomerium policy

pschiffe · August 1, 2023, 5:03pm

Hello,

I’m trying to use https://zitadel.com/ as IDP, which works, but they don’t support Groups of users, just Roles. If you want to include Roles in the ID token, you can ask for urn:zitadel:iam:org:project:roles scope, and you should receive something like

"urn:zitadel:iam:org:project:roles": {
    "cfo": {
      "223281939119866113": "corporate.user-authorizations-io8epz.zitadel.cloud"
    },
    "corporate member": {
      "223279178798072065": "org-a.user-authorizations-io8epz.zitadel.cloud",
      "223279223391912193": "org-b.user-authorizations-io8epz.zitadel.cloud"
    }
  }

There’s more information available here: Retrieve user roles | ZITADEL Docs

My question is, do you have any ideas how to use this in Pomerium’s policy? ie to match users based on cfo role from above.

Thank you.

pschiffe · August 1, 2023, 6:51pm

This solves it: Configuring Custom Claims in ZITADEL

And modifying the last line of that script to api.v1.claims.setClaim('groups', grants) fills roles as groups in the token.

Topic		Replies	Views
Using groups claim in PPL to use group-based access Support	1	299	November 29, 2022
Claim set and allowed in policy, but authentication still fails Support	5	520	January 11, 2023
PPL with AWS Cognito Groups Support idp	0	341	January 5, 2022
Using Claims in PPL Support idp	5	544	October 20, 2021
Use downstream identity provider's token directly (JWT Forwarding) Support idp	1	388	November 1, 2021

Zitadel role in Pomerium policy

Related topics