Authentication & Access Control (zID)

Objective

Validate that zID authenticates users into the zWAN Director (not LAN enforcement), supports local users, OTP/TOTP, Google SSO, and LDAP/AD federation, and records authentication events in System → Logs → Syslog.

Prerequisites

• Admin access to zWAN Director.
  • One test workstation (Windows is fine) to access Director.
  • (Optional) Free services for federation tests:
  – A Google account (for Google SSO)
  – A lab OpenLDAP (e.g., dockerized) for LDAP federation
  • Authorized POC/lab environment.

Test 1: Local User Authentication (zID Local Users)

Steps

1. Baseline
   • Confirm you can log in to Director with your admin account.
2. Create Local User & Assign Role (all in one place)
   • Navigate: User Management → Users.
   • Click Create User (or Add User).
   • Fill Username, Name fields, and set Password (or use the credentials workflow per the FSD).
   • Assign a Director Role (e.g., ReadOnly / Operator / Admin) on this same user screen.
   • Save.
3. Validate Login
   • Log out (or use a private window) and sign in as the new local user.
   • Confirm you land in Director and the UI capabilities match the assigned role.
4. Logs
   • Navigate: System → Logs → Syslog.
   • Filter to the current time window; verify a successful login event for this username (source IP, timestamp, program/message).

Test 2: Two-Factor Authentication (OTP/TOTP)

Steps

1. Open the zID Console
   • Top-right gear icon → zID Login (opens the zID auth admin console).
2. Require OTP
   • zID Console: Authentication → Required Actions.
   • Enable/require Configure OTP (or equivalent “OTP enrollment”).
   • (If available) Authentication → OTP Policy: keep defaults (TOTP, 6 digits, 30s) unless your FSD specifies otherwise.
   • Save.
3. Enroll & Validate
   • Log out; log back in as the local user from Test 1.
   • Complete the OTP enrollment with a free authenticator app (Google Authenticator / Microsoft Authenticator).
   • Log out and in again to confirm the OTP challenge works.
4. Logs
   • Director: System → Logs → Syslog. Confirm OTP enrollment and OTP login entries.

Test 3: Google SSO (OpenID Connect)

Steps

1. Create Google OAuth Credentials (free)
   • Google Cloud Console → APIs & Services → Credentials → Create Credentials → OAuth client ID (Web).
   • Add the Authorized redirect URI shown on your zID Google provider page (copy from Step 2).
   • Save and note Client ID / Client Secret.
2. Configure Google in zID
   • Director top-right gear → zID Login → Identity Providers → Google.
   • Enable provider; paste Client ID/Secret.
   • Verify/copy the Redirect URI. Save.
3. Role Mapping
   • If your setup requires role mapping ahead of first login, either:
   – Pre-create a mapped user in zID and assign a Director role, or
   – Allow first login to auto-provision and then assign a role in User Management → Users (Director), selecting the federated identity.
   • Save.
4. Validate
   • Log out; on the Director login page choose Sign in with Google.
   • Authenticate with your Google account.
   • Verify you land in Director and the role is applied.
5. Logs
   • System → Logs → Syslog; confirm entries showing federated login (Google) success.

Test 4: LDAP/AD Federation (OpenLDAP demo)

Steps

1. Stand up OpenLDAP (optional/free)
   • Example (Linux host):
   docker run -p 389:389 –name demo-ldap -e LDAP_ORGANISATION=”POC” -e LDAP_DOMAIN=”poc.local” -e LDAP_ADMIN_PASSWORD=”admin” -d osixia/openldap:1.5.0
   • Add a test user (e.g., uid=user1,ou=People,dc=poc,dc=local) using a free LDAP client (Apache Directory Studio).
2. Configure LDAP in zID
   • Director top-right gear → zID Login → User Federation (or LDAP) → Add provider.
   • Set Host/Port, Bind DN/Credentials (e.g., cn=admin,dc=poc,dc=local), Users Base DN (e.g., ou=People,dc=poc,dc=local), and User Filter (e.g., (uid={0})).
   • Save (and Test if the button exists).
3. Assign Role
   • After the LDAP user appears (import/first login), assign a Director Role in User Management → Users.
   • Save.
4. Validate
   • Log out and log in with user1 (LDAP credentials).
   • Confirm access and role in Director.
5. Logs
   • System → Logs → Syslog; confirm LDAP-backed login success.

Validation Criteria

• Local user login works; permissions match the assigned role.
  • OTP enrollment is prompted and enforced on login.
  • Google SSO login works; role is applied post-login.
  • LDAP login works for the test directory account; role applied post-login.
  • All auth events (success/failure) are present in System → Logs → Syslog.

Notes

• zID is only for Director authentication/authorization (no LAN enforcement).
  • Keep a break-glass admin account available while testing SSO/federation.
  • Use non-production identities for the Google/LDAP demos.