Zitadel, Single Sign On, and OAuth. It's Impressive!
Рет қаралды 36,901
Күн бұрынZitadel is the 'new kid on the block' when it comes to Identity and Access Management. They have bold ambitions and so far I'm really impressed by its extensive support and features, many of which improve existing solutions such as Keycloak.
In this video I show how to deploy and configure Zitadel in Docker, with an example of integrating Portainer Single Sign On with it.
Zitadel Docker Files:
github.com/JamesTurland/JimsG...
Zitadel Docs:
zitadel.com/docs
Recommended Hardware: github.com/JamesTurland/JimsG...
Discord: / discord
Twitter: / jimsgarage_
Reddit: / jims-garage
GitHub: github.com/JamesTurland/JimsG...
00:00 - Introduction to Zitadel
01:04 - Zitadel Overview
03:34 - Docker Compose Config Overview
11:00 - Deploying With Docker
12:53 - Zitadel GUI & Portainer Setup
20:20 - Overview of Other Features
@sagarsriva 7 ай бұрын
Jim, your videos are top notch. Keep them coming. Looking forward to advanced zitadel videos from you with more explaining on different type of integrations ❤
@Jims-Garage 7 ай бұрын
Thanks 👍
@jp_baril 7 ай бұрын
Nice video on not only the installation but also the setup, some concepts, and actual demo. It would be really great if you could create another video to explain in more details the setup and the use cases of roles/grants on a per app-basis as you mentioned.
@Jims-Garage 7 ай бұрын
Thanks, I plan to revisit at a later time. I'm still learning some of the concepts and how best to use them. Some of the joys of a new product.
@SerialkillerinTraining 6 ай бұрын
Your subscribers have blown up, I swear when I first subscribed you had only a few hundred. Your videos are amazing and keep up the good work!! Currently I am setting up my 26U Rack that I picked up and I am pricing out servers to start my homelab journey.
@Jims-Garage 6 ай бұрын
Hey, thanks. Yes, I'm overwhelmed by the support, thanks to all. It's exciting kitting out the first proper Homelab, drop a pic in Discord when you're all set up.
@silvanreusser1829 7 ай бұрын
Hi Jim Thank you very much for this great video 👍 It’s interesting to see how zitadel is used and how we can further improve
@Jims-Garage 7 ай бұрын
Glad you enjoyed it
@neillmennell9779 6 ай бұрын
Great Video Jim and Thanks for sharing! Zitadel was launched a few years back but had gone quiet but it seems they have been busy with the cloud feature so would love more indepth videos on how Zitadel removes the heavy lifting when implementing Roles in Multi Tenacy SaaS Apps (Next Js, Trpc, tailwind, Drizzle, Postgres Stack). We have struggled implementing this!
@Jims-Garage 6 ай бұрын
Awesome 👍 I'm planning to come back and revisit soon!
@SpakkaCloud 7 ай бұрын
Another great video Jim, keep ‘em coming. I will definitely be playing with this in the HL, curious to compare it to keycloak and authentik.
@Jims-Garage 7 ай бұрын
Thanks 👍 it's a tough one, depends if all your apps are OAuth/OIDC compliant. I suspect Authentik ticks most boxes for homelabbing.
@XytrasLLane 7 ай бұрын
Great Demo. Thanks
@Jims-Garage 7 ай бұрын
Thanks 👍
@cheebadigga4092 7 ай бұрын
Thanks for the video. Really cool! I think Zitadel is more "homelabby" wheres keycloak is more "enterprisy". Keycloak has too much Red Hat fluff added which I personally don't like as much in homelabs. I'm a bit confused though. You said you were using docker volume mounts, when in your docker compose file, only 1 volume mount (in service zitadel) is a docker volume mount, and the other 3 are bind mounts. So it's a mix of both. I guess your explanation was focused on "as their recommendation", which makes total sense. That bit before still might be confusing for beginners
@-rm-rf 7 ай бұрын
I know what I'll be doing this weekend :D
@Jims-Garage 7 ай бұрын
It's really impressive
@stephanelambert1846 4 ай бұрын
For those who get a "network proxy declared as external, but could not be found" error. Just run the command "sudo docker network create proxy"
@Glatze603 7 ай бұрын
Hi Jim, another cool security approach is the open source application freeipa - a central user management for Linux with extended possibilities for the restrictive use of sudo commands and system services such as RDP, SSH etc.
@Jims-Garage 6 ай бұрын
Thanks, I'll take a look at that.
@DudeItsDallyBoy 7 ай бұрын
Hey Jim awesome video as always. Question. Can I use zitadel for apps that don't offer OAUTH / OIDC natively. I was holding off on doing Authentik until you this video was out as it seems to be newer and more feature rich. Do you know if Zitadel offers a proxy? I could find anything in the documentation regarding it? Ideally i would want to use treafik middleware to secure apps that don't support OAUTH or OIDC by forcing sign in via a proxy page before allowing access to my apps. Similar to how Authelia works.
@Jims-Garage 7 ай бұрын
Thanks. I don't believe so. To my knowledge Authentik is the only 1 stop shop for homelabbers.
@bluesquadron593 7 ай бұрын
Just got comfortable with Authentik. Although there are things still can’t make work, BUT should I switch over to Zitadel? Or there are not much more upsides to it in a homelab environment..
@Jims-Garage 7 ай бұрын
Authentik is probably the best solution at the moment as it does both OAuth and proxying.
@justinbrennan11 5 ай бұрын
Great video tutorial :) Smooth install and login but i had an issue with portainer where it wouldn't let me login. Had to create the zitadel username manually with the default admin account.
@Jims-Garage 5 ай бұрын
Thanks, that issue is odd. During testing I had to do the same, and then another time I didn't...
@justinbrennan11 5 ай бұрын
@@Jims-Garage no big issue. Hopefully it doesn't do the same with the other apps. Only tried the portainer one for now. Looking forward to the followup for zitadel you mentioned
@tw38203 2 ай бұрын
I'm not sure this is of any help but I've heard of this issue before. It seems that this might be related to Portainers auto use provisioning, as the issue can occur when using Authentik as well...
@Rockshoes1 2 ай бұрын
Love your content! What’s your take on Authentik vs Zitadel?
@Jims-Garage 2 ай бұрын
I'd go with Authentik for a homelab. Does it all
@AinzOoalG0wn 7 ай бұрын
ty for the share Jim. However i'm confused how exactly do you get this to work with traefik. I saw that you covered how to do it for portainer. But what about other docker containers? How do you go about getting those containers to use zitadel for authentication using traefik (auth forward is the term i believe) ? Do i have to add traefik labels? any examples :} ?? *update i noticed that DudeItsDallyBoy has a similar question as me
@Jims-Garage 7 ай бұрын
This is only for apps that support OAuth2/OIDC. Apps that's don't you'll need to use a proxy like Authentik or Authelia.
@AinzOoalG0wn 7 ай бұрын
@@Jims-Garage ty for the reply jim. ya i scolled all the the way to the bottom and found your reply on that. so now i've moved onto your authentik video setup xd. now i'm trying to troubleshoot to get that to work ^-^;
@teolcd 3 ай бұрын
Can you do a demo what to do with the grant?
@draukuxan1081 7 ай бұрын
Really slick looking project! I'll be giving this a shot in my homelab. Have you found a way to integrate the authentication with Proxmox? If it's in the documentation, I'm still watching this vid, so haven't delved into the docs for Zitadel yet, but will.
@Jims-Garage 7 ай бұрын
Thanks, sadly I haven't managed to integrate Proxmox yet. Hoping we can have a community effort, try by numbers approach ha. I have a feeling it's an issue on the Proxmox side... But Proxmox does work with Keycloak and Authentik.
@loicdupond7550 4 ай бұрын
@@Jims-Garage arf :) reading this comment now after finalizing the installation :D which one do you recommend between keycloak and authentik based on your experience ? Like which one do you use yourself in your homelab ?
@Jims-Garage 4 ай бұрын
@@loicdupond7550 Authentik. It does both OAuth and proxy for non-OAuth apps.
@loicdupond7550 4 ай бұрын
@@Jims-Garage Thanks for the blazing fast answer and great content !
@subzizo091 7 ай бұрын
hello jim , thanks for the great videos keep it up, please i have a question related to reverse proxy "treafik" how can i use it without a domain name in local environment
@Jims-Garage 7 ай бұрын
Thanks 👍 you'll need to follow the localhost guide. Everything else in my video should be valid. zitadel.com/docs/self-hosting/deploy/compose
@subzizo091 7 ай бұрын
@@Jims-Garage i mean in general not with zitadel , how i configure treafik to work with server ip as its test env. and i dont want to use the port for every app i want to use serverip/app , is it possible
@Jims-Garage 7 ай бұрын
@@subzizo091 typically you would simply specify ports in the compose app, and then you would access it by doing dockerIP:appPort
@subzizo091 7 ай бұрын
@@Jims-Garage ok , thanks jim for your efforts
@mybusinesstracker-jobinvoi8213 4 ай бұрын
Nice video anymore Zitadel videos coming?
@Jims-Garage 4 ай бұрын
Yes, soon (no timelines). I want to do it when it makes sense with major releases.
@fedefede843 7 ай бұрын
Very nice! Another fenomenal option for authentication. Can I make a request? Since you mentioned on this video, about the plain passwords on the compose files. It is a flaw we all do have. It would be really nice to explore solutions like Hashicopr's Vault for instance and create some content around it. Thanks!
@Jims-Garage 7 ай бұрын
Thanks 👍 it's not really too much to worry about in a homelab, but in production you'll want to secure your secrets. Kubernetes makes it pretty simple with things like sealed-secrets
@fedefede843 7 ай бұрын
@@Jims-Garage yes, but I use most of the Homelab to learn (and play for fun too) and then many times end up adding these tools, products, solution, etc at work. Vault is something I am currently testing, that's why the request ;) Is it possible to use a tool like Vaultwarden/Bitwarden for this purpose?
@olsenlid 7 ай бұрын
You could just add environment variables for passwords in Portainer. In this case, add the env var "secret", and place it in the compose file as "$secret"
@fedefede843 7 ай бұрын
@@olsenlid Hi. Yes that is correct. I like a bit better that approach, since you are not exposing the secrets in the compose file, and also let you define your secrets in a more organised (and centralised?) fashion. Nevertheless from the security perspective, it is just moving the issue somewhere else.
@autohmae 5 ай бұрын
I've yet to figure out which is the best, but Authentik supports SCIM which the others seem to be missing. I actually think this is an important feature long term. So the user can be created in Authentik and then automatically added with the right group/role in Portainer in this case (sadly Portainer does not support this I believe).
@Jims-Garage 5 ай бұрын
I think Authentik is probably the best homelab solution as it covers all bases. It is, however, community made so it comes with usual possible issues.
@autohmae 5 ай бұрын
@@Jims-Garage what do you mean with community made in this case ?
@Jims-Garage 5 ай бұрын
@@autohmaeMy understanding is that Authentik is community driven which means it's community supported, patched, updated etc. This could leave you with security vulnerabilities and issues that there is no typical SLA in place to fix. Very unlikely to be an issue, and you can migrate, risk control etc, but something to think about.
@autohmae 5 ай бұрын
@@Jims-Garage their is a company build around it. Which is also why they have pricing for hosted solution and "Enterprise Self-Hosted" on their website. 🙂 Is that different from the offerings for Zitadel ? Maybe this is a problem with the language barrier, English isn't my first language, but as far as I can see, I see no difference between these 2 in that category.
@Jims-Garage 5 ай бұрын
@@autohmae okay, you're right. I wasn't aware of the enterprise subscription. My last post is likely invalid
@giuseppebinetti87 2 ай бұрын
Is there a way to set this up with proxmox?
@Jims-Garage 2 ай бұрын
Yea, should support OAuth2
@giuseppebinetti87 2 ай бұрын
@@Jims-Garage I’ve seen your messages in their discord asking for support about setting up proxmox but can’t find the definitive answer to those questions
@amjads8971 2 ай бұрын
Is it an open source ?
@Jims-Garage 2 ай бұрын
I don't believe so
@swish6143 24 күн бұрын
Yes it is
@Jims-Garage 24 күн бұрын
@@swish6143 thanks for clarifying
@qoutwest 7 ай бұрын
Is this better than Authentik?
@Jims-Garage 7 ай бұрын
Spin it up and decide... It's a good product, but if you need a proxy and OAuth you're better off with Authentik at the moment.
Jim's Garage
Рет қаралды 9 М.
Diana Belitskay
Рет қаралды 17 МЛН
QAZSPORT TV / ҚАЗСПОРТ TV
Рет қаралды 197 М.
Rancher Government Solutions
Рет қаралды 2,3 М.
Tech with Marco
Рет қаралды 10 М.
Jim's Garage
Рет қаралды 43 М.
Jim's Garage
Рет қаралды 35 М.