Zitadel role in Pomerium policy

pschiffe · August 1, 2023, 5:03pm

Hello,

I’m trying to use https://zitadel.com/ as IDP, which works, but they don’t support Groups of users, just Roles. If you want to include Roles in the ID token, you can ask for urn:zitadel:iam:org:project:roles scope, and you should receive something like

"urn:zitadel:iam:org:project:roles": {
    "cfo": {
      "223281939119866113": "corporate.user-authorizations-io8epz.zitadel.cloud"
    },
    "corporate member": {
      "223279178798072065": "org-a.user-authorizations-io8epz.zitadel.cloud",
      "223279223391912193": "org-b.user-authorizations-io8epz.zitadel.cloud"
    }
  }

There’s more information available here: Retrieve user roles | ZITADEL Docs

My question is, do you have any ideas how to use this in Pomerium’s policy? ie to match users based on cfo role from above.

Thank you.

pschiffe · August 1, 2023, 6:51pm

This solves it: Configuring Custom Claims in ZITADEL

And modifying the last line of that script to api.v1.claims.setClaim('groups', grants) fills roles as groups in the token.

Topic		Replies	Views
Use downstream identity provider's token directly (JWT Forwarding) Support idp	1	319	November 1, 2021
Freja eID support, and custom auth params Integrations oss , identity-provider , oidc	0	279	November 24, 2021
Concept: allow anyone to my SSO for user ID after verifying device Support	1	523	June 20, 2023
Pulling Avatars from Azure AD Support	0	257	November 1, 2021
Using Keycloak as an identity provider with Pomerium Support idp	0	399	December 27, 2021

Zitadel role in Pomerium policy

Related Topics