SSO Configuration
#
ZeroTier Central configurationnote
SSO is currently only supported on desktop operating systems such as macOS and Windows. Support for iOS and Android, and better support for authenticating via the command line is still to come.
#
Update clientsDownload and install ZeroTier 1.10.0 or greater on clients that will use SSO.
#
Configure SSO in ZeroTier CentralVisit https://my-dev.zerotier.com/account and complete the SSO configuration toward the bottom of the page. You will need your sso provider's Isssuer URL as well as a Client ID.
#
Configure SSO on individual networks.If you enable this on an existing network, you may accidentally block existing users. Please practice on a test network.
#
Exclude specific devices from SSO requirementsThis is useful for routers, servers, embedded devices, etc… You can do this from the wrench icon in the Members list.
#
SSO provider configuration- SSO Provider must support PKCE
- Requires the following scopes:
openid
profile
email
offline_access
- Configure the callback URL to
http://localhost:9993/sso
#
Provider Specific Configuration Notes#
Auth0Please ensure the following fields are set on your Auth0 application config:
- Application Type: Native
- Token Endpoint Authentication Method: None
- Allowed Callback URL: http://localhost:9993/sso
- Under Advanced Settings -> Grant Types, ensure Implicit, Authorization Code, and Refresh Token are selected.
#
AutheliaAuthelia is a self hosted SSO solution. ZeroTier uses PKCE, so the field secret
must be an empty string and public
must be true.
note
Use of Authelia requires ZeroTierOne version 1.10.1 or greater. There is an incompatibility between the two in the 1.10.0 release.
Example client configuration:
#
Azure ADNavigate to your directory in the Azure portal, and select "App Registrations" in the Manage column.
Click "New Registration"
Set the Name of the application. e.g. "ZeroTier Central SSO"
Under Redirect URI:
Platform: Public client/native (mobile & desktop)
Set the Redirect URI to http://localhost:9993/sso
#
Google WorkspaceGoogle OAuth2/OIDC is not supported as Google does not support PKCE clients at this time.
#
Okta- Application Type: Native
- Token Endpoint Authentication Method: None
- Allowed Callback URL: http://localhost:9993/sso
- Under Advanced Settings -> Grant Types, ensure Implicit, Authorization Code, and Refresh Token are selected.
#
OneIdentityOneIdentity may require manual whitelisting of the following scopes: openid
, profile
, email
, offline_access
.
#
Customizing the Final SSO Flow PageIf you wish, you can customize the final view of the sso login process.
Create the file $ZEROTIER_HOME/sso-auth.template.html
.
Note: Any CSS or images must be hosted externaly, or placed within the single HTML page itself.
You may customize the page to look however you wish. At this time there are only two template values set by zerotier:
networkId
messageText
Templates must be valid HTML, and the template values must be placed inside `{{ ... }}
blocks like so:
You may react to errors via the isError
variable: