...
Open the “Projects” tab and make sure you’re on the “Cluster IAM” root organization. Then click on “Create New Project” and enter a name for the project (e.g.: “unique”).
...
3.0.1 Project Settings
Once you have created the project, make sure you have these settings checked.
...
3.1 Setup an application
Once you’ve created a project in the root organization an application needs to be setup and configured inside that project. Click on the tile with the “+” and enter an application name (e.g.: “unique-app”). For the type of the application, choose “WEB”.
...
Roles are granted as authorizations to users in Zitadel to give access to certain features of Unique solution.
Panel | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
All the roles and their descriptions can be found on the following page: Roles and Permissions |
...
Navigate to the “Roles” section on the project click on “+ New” and add all roles defined on the “Roles and Permissions” page linked above.
Note |
---|
The screenshot might be up to date on and is not showing all roles and only shows that currently exist. It only serves as an example of roles added in a project. Refer to https://unique-ch.atlassian.net/wiki/x/SICeHg and add all roles that are listed there to make sure you are up to date. |
...
3.4 Grant project to an organization
...
Info |
---|
Creating additional (new) roles in Zitadel When adding new roles, the following actions are required:
Adding new roles is only necessary if Unique introduces new roles in a release. |
4. Set-up Service user
4.1 Scope Management Service User
The Unique application needs a service user for syncing the user data we have in Zitadel with our Unique System. To set this service user up, the following steps are necessary:
In Zitadel, set-up the
scope-management
service user, following this documentation https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/588546089/Service+User+configuration#Creating-a-service-user. This service user needs no Unique roles to function.In Zitadel, generate a Personal Access Token (PAT) for the created service user, details to be found here: https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/588546089/Service+User+configuration#Generating-personal-access-token-(PAT). Copy the PAT after creation, you will need it in step 4 to store it in the Azure Key Vault.
In Zitadel, give the
scope-management
service user, theIAM Owner Viewer
role on an instance level. To switch to the instance, simply click on Default Setting at the top right in Zitadel:Then add the Service user and give it the role under this button in Zitadel:
After the role was assigned to the user, it should show up like this in the list of the users with instance roles:
In the Azure Key Vault, search for the keyvault that contains the secret
manual-zitadel-scope-mgmt-pat
and add the generated PAT from step 2 there as a value.
Info |
---|
After setting the PAT in the Key Vault it is necessary to redeploy, so that the |
After performing the setup of the scope-management service user, the user-sync
cronjob is able to use this service user user’s PAT from the key vault to make requests to the Zitadel API and sync the provisioned users to the Unique backend.
5. Adding Zitadel Actions
tbd - work in progress
...
6. Configuring SSO
tbd - work in progress
...
OLD DOCS (will get removed soon - wip)
...
This tutorial only applies for clients with a Customer Managed Tenant.
Setup Actions
Note |
---|
If you add any action the function must string match the name of the action else it is not called. |
Add one new action called addGrant
with this content
...