zID Configuration

Summary

zID is the integrated Identity and Access Management solution (based on Keycloak) for zMAN, providing user authentication, authorization, and federation capabilities including AD/LDAP sync and OAuth2/OpenID Connect support :contentReference[oaicite:0]{index=0}.

Key Features

• User & Role Management: create tenants, realms, users, and map roles to user groups.
• Federation: synchronize with Active Directory or LDAP servers for centralized credential management.
• Single Sign-On (SSO): support for OAuth2 and OpenID Connect for zMAN UI and REST API access.
• Multi-Factor Authentication: built-in support for TOTP, SMS, and hardware tokens.

Configuration Steps

1. Access the zID admin console at https://<zMan-IP>/auth/admin.
2. Login with the initial admin credentials set during installation.
3. To configure federation:
   • Navigate to your realm → **User Federation** → choose **ldap** or **Active Directory** provider.
   • Enter connection URL, bind DN, and bind credentials; test connection and sync settings.
4. To set up SSO for the zMAN UI:
   • Under **Clients**, find or create the **zman-tenant** client.
   • Configure Redirect URIs (e.g., https://<zMan-IP>/zman-tenant/*), set Access Type to **confidential**, and define client roles.
5. Define user roles under **Roles** (e.g., TenantAdmin, Operator) and map them to groups under **Groups** → **Client Roles**.
6. Test by logging into the zMAN UI with a federated or local zID account.

Troubleshooting

• If users cannot login, verify the client’s Redirect URI and Web Origins match your zMAN UI URL.
• For federation sync errors, ensure network access to the LDAP/AD server and correct bind DN/credentials.
• Check zID logs under its container’s /opt/keycloak/standalone/log for detailed error messages.

Best Practices

• Rotate admin and service account credentials regularly.
• Enable HTTPS/TLS for all zID endpoints to protect credentials in transit.
• Use separate realms for production and test environments.