NC
NetBird: Community6d ago
AYEEDITYA

Selfhosted Netbird w/ Zitadel - cross domain logins

Hey Hey! I am now setting up netbird again but with Zitadel, everything works well if users that exist in the same organization as the netbird project, as in all their information is correctly pulled into netbird. However, I also need to allow external users to log in on a selective basis. I am planning on doing so by creating a new organization lets call it "external-org" and create my external users in this org then allowing them a role for netbird via organization grants. These new external users are able to log in okay, however their information is not pulled in correctly... Only their zitadel user ID is pulled in, no email, user name nothing. Has anyone seen this or has any ideas on what I could do to allow external user info to be pulled in? I am running Zitadel V3.0.4 and Netbird V0.43.3 Things I have already setup: 1. Given my external-org a grant to my netbird project in the default org, this grant allows the role "external-users" to be applied to well the external users. This allows my external users to log in to netbird 2. In zitadel, on my netbird project, I have selected the options "Assert Roles on Authentication" and "Check authorization on Authentication" to limit users who can log into netbird only if they have the applicable roles applied to them 3. In my netbird application, I have selected the token option "Add user roles to the access token" 4. In my external-org, I have made my netbird service user account an org user manager as well as per this github comment https://github.com/netbirdio/netbird/issues/2620#issuecomment-2567480880 Things I have tried to no avail: 1. Giving the external user a role directly from my netbird project in the default organization. 2. In my netbird application token settings, checking the options "User roles inside ID Token" and "User Info inside ID Token" I have now run out of things to try. If anyone has any ideas, I would love to hear!
GitHub
Self-registered user in self-hosted environment (with Zitadel idP) ...
When a user register himself, the user entry in Netbird does not show his name but his Zitadel ID. This happen when you create a new organization in Zitadel and grant access to Netbird to that orga...
No description
5 Replies
jeevis
jeevis6d ago
Not sure if this is helpful, but I use netbird with Keycloak, and whoeverhas an account on my keycloak can log into my netbird server. When they do for the first time, netbird first checks the domain to see if an account in the same domain exists. If it does exist, then it adds them to the same "group" as a User instead of an owner. If they do not, they get the "Owner" account of a new group. 2 Exceptions to this. First is if they are using a public domain (gmail.com, hotmail.com, etc...), then they are given their own account. Second, is if an invite is sent from a specific netbird account(I haven't used this one yet)
AYEEDITYA
AYEEDITYAOP6d ago
What I am asking is different, but I do appreciate the response! When I say cross domain, I mean with repect to zitadel, i guess you could say cross organization. Essentially my requirement is: In Zitadel, I have an organization (lets call it primary org) for my internal users that uses an external IDP like google SSO to sign in. These are automatically assigned the role of "internal-user" within zitadel and this role is then pulled into netbird for auto grouping using JWT token sync. This works wonderfully, my internal users part of the primary org are able to sign in with google SSO, they are allocated the internal-user role (in zitadel) and their account in nebird is created. Netbird also reflects this internal-user role as their group membership and also reflects their full name and email on the admin panel. all is dandy here while limited to the primary org where netbird OIDC is also setup. Now where things get hairy is my requirement to allow external users. I am trying to give my external users access by first creating them manually in an isolated organization called external org. Here they are manually given the role "external-user". This org is given the grant to log into netbird. When an external user (after account creation and allocating them the role in zitadel) logs into netbird via zitadel, their account is created just fine and their role is also traversed to netbird for auto grouping in the external-user group. But the issue arises in pulling user info from zitadel. Netbird is unable to pull the external users full name and email from zitadel - this is what I am trying to solve here
jeevis
jeevis6d ago
Ok, so its already working for your main org, but this "external org" that you made is not giving the extra information about the user from the SSO?
AYEEDITYA
AYEEDITYAOP6d ago
Thats correct! As you see in this, the first 2 users are from my primary org and their full names and emails are pulled in. but the third user is from my external org who is able to register but unable to traverse its full name and email to netbird
No description
AYEEDITYA
AYEEDITYAOP4d ago
Okay seems like there’s no solution to this at the moment since NB is using V1 API of Zitadel https://github.com/netbirdio/netbird/issues/2620#issuecomment-2872313580
GitHub
Self-registered user in self-hosted environment (with Zitadel idP) ...
When a user register himself, the user entry in Netbird does not show his name but his Zitadel ID. This happen when you create a new organization in Zitadel and grant access to Netbird to that orga...

Did you find this page helpful?