Versions Compared

Old Version 2

changes.mady.by.user Andreas Hauri

Saved on

compared with

New Version 3

changes.mady.by.user Sandro Camastral

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

Creating additional (new) roles in Zitadel

When adding new roles, the following actions are required:

  1. Add the new role to the project on the “Cluster IAM” root organization (as described in the previous section).

  2. Add the new role to the Grant given to the organizations. This can be done by clicking on a grant and editing it to make sure the new role is included in the grant.

Adding new roles is only necessary if Unique introduces new roles in a release.

4. Set-up Service user

4.1 Scope Management Service User

The Unique application needs a service user for syncing the user data we have in Zitadel with our Unique System. To set this service user up, the following steps are necessary:

  1. In Zitadel, set-up the scope-management service user, following this documentation https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/588546089/Service+User+configuration#Creating-a-service-user. This service user needs no Unique roles to function.

  2. In Zitadel, generate a Personal Access Token (PAT) for the created service user, details to be found here: https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/588546089/Service+User+configuration#Generating-personal-access-token-(PAT). Copy the PAT after creation, you will need it in step 4 to store it in the Azure Key Vault.

  3. In Zitadel, give the scope-management service user, the IAM Owner Viewer role on an instance level. To switch to the instance, simply click on Default Setting at the top right in Zitadel:

    image-20240826-095238.pngImage Added

    Then add the Service user and give it the role under this button in Zitadel:

    image-20240826-095746.pngImage Added

    After the role was assigned to the user, it should show up like this in the list of the users with instance roles:

    image-20240826-110925.pngImage Added

  4. In the Azure Key Vault, search for the keyvault that contains the secret manual-zitadel-scope-mgmt-pat and add the generated PAT from step 2 there as a value.

After performing the setup of the scope-management service user, the user-sync cronjob is able to use this service user user’s PAT from the key vault to make requests to the Zitadel API and sync the provisioned users to the Unique backend.

5. Adding Zitadel Actions

tbd - work in progress

...

6. Configuring SSO

tbd - work in progress

...

OLD DOCS (will get removed soon - wip)

...