Skip to main content

IdP internal console

info

Use this runbook in the ZITADEL console for the internal IdP (auth.reids.net.au).

It assumes the internal ZITADEL instance is already deployed in the cluster via Flux and reachable at https://auth.reids.net.au.

Identity provider series

  1. IdP dual overview
  2. IdP dual architecture
  3. IdP internal deployment
  4. IdP internal console - you are here
  5. IdP internal SMTP
  6. IdP internal LDAP
  7. IdP internal OIDC
  8. IdP internal OAUTH2 proxy
  9. IdP internal backup and restore

1. Goal and scope

Goal: Complete the core console configuration for the internal ZITADEL instance so that:

  • admin login is secured and recoverable;
  • SMTP is configured for password resets and notifications;
  • NAS LDAP is configured as an identity provider;
  • Kubernetes-specific roles and applications exist for OIDC.

2. Prerequisites

Before using this guide you should already have:

  • ZITADEL internal deployed and healthy:
    • https://auth.reids.net.au/ui/console reachable from your network.
  • FirstInstance configured in the Helm values (admin user created automatically).
  • NAS LDAP reachable from the cluster:
    • ldaps://nas.reids.net.au:636
  • LDAP bind account created:
    • uid=zitadel-bind,ou=people,dc=reids,dc=net,dc=au
  • Cluster-wide wildcard TLS trust in place so ZITADEL trusts the NAS *.reids.net.au certificate via SSL_CERT_FILE=/etc/ssl/certs/wildcard-reids.crt.
note

QNAP uses ou=people and ou=group rather than ou=users and ou=groups.

3. Initial admin login

With FirstInstance configured, the first instance and admin are created during zitadel-setup. Use the credentials from your Helm values:

  • Console: https://auth.reids.net.au/ui/console
  • Username: ADMIN_EMAIL_ADDRESS
  • Password: INITIAL_PASSWORD

On first login:

  1. ZITADEL forces a password change.
  2. Change to a strong password and store it in your password manager.

You should now be logged in as the initial admin for the internal instance.

4. Configure SMTP

SMTP is required for password resets, email verification and some notifications.

In ZITADEL console at https://auth.reids.net.au:

  1. Navigate to Default Settings → SMTP Provider → Add Generic SMTP.
  2. SMTP Provider Settings:
    1. Transport Layer Security (TLS): Enabled
    2. Description: SMTP
    3. Host and Port: EMAIL_SERVER:PORT
    4. User: ADMIN_EMAIL_ADDRESS
    5. Password: your SMTP password
  3. Sender Settings:
    1. Sender Email Address: ADMIN_EMAIL_ADDRESS
    2. Sender Name: Auth
    3. Reply-to-Address: ADMIN_EMAIL_ADDRESS
  4. Save your settings:
    1. Test your settings:
      1. Email address: TEST_EMAIL_ADDRESS
    2. Click Save.
tip

Do not reuse your own mailbox for other apps. Keep auth@reids.net.au dedicated to identity traffic so you can spot abnormal patterns more easily.

5. Harden the initial admin account

Once SMTP works, harden the initial admin account.

note

Only edit the account after SMTP has been configured and tested. Otherwise you risk losing access if you mistype the email address.

In the ZITADEL console:

  1. Open your user profile.
  2. Edit the account:
    1. Change user name to a sensible, non-default value.
    2. Change display name.
    3. Add given name and family name.
    4. Change e-mail address if needed to your preferred admin address.
  3. Complete any verification flow for the new email address.
  4. Enable and configure MFA (for example TOTP) for the admin account.

After verification, the login methods will reflect the new username and email address.

6. Configure NAS LDAP as an Identity Provider

This section configures QNAP LDAP into the internal IdP.

note

TLS verification is handled by the wildcard trust configured via SSL_CERT_FILE inside the ZITADEL pods. You do not need to mount LDAP-specific CA secrets in Kubernetes.

In ZITADEL console at https://auth.reids.net.au:

  1. Navigate to Default Settings → Identity Providers → Add Provider → Active Directory / LDAP.
  2. General:
    • Name: nas
  3. Connection:
    • Servers: ldaps://nas.reids.net.au:636
    • BaseDN: dc=reids,dc=net,dc=au
    • BindDN: uid=zitadel-bind,ou=people,dc=reids,dc=net,dc=au
    • Bind password: your LDAP bind password
  4. User binding:
    • Userbase: ou=people,dc=reids,dc=net,dc=au
    • User filters: uid
    • User Object Classes: inetOrgPerson
  5. LDAP Attributes:
    • ID attribute: uid
    • Displayname attribute: displayName
    • Email attribute: mail
    • Family name attribute: sn
    • Preferred username attribute: uid
  6. Optional:
    • Start TLS: not enabled
    • Timeout in seconds: 0
    • Account creation allowed: manually
    • Account linking allowed: manually
  7. Test connection:
    • Click Test Connection.
    • Search for user uid=NAS_USERNAME and confirm attributes look correct.

Once this is working, LDAP-backed users can be linked and auto-provisioned into the internal instance.

7. Kubernetes Dashboard and app clients (pointers)

The console steps for application creation follow the same pattern as the kubernetes-api app above:

  • Kubernetes Dashboard client (kubernetes-dashboard):

    • Project: Kubernetes Infrastructure
    • Redirect URIs: https://dashboard.reids.net.au/oauth2/callback
    • Scopes: openid, profile, email, groups, offline_access

  • Blaster dev client (blaster-dev):

    • Project: Internal Apps
    • Redirect URIs: https://blaster.reids.net.au/api/auth/callback/zitadel, http://localhost:3000/api/auth/callback/zitadel
    • Scopes: openid, profile, email, offline_access

  • Fit dev client (fit-dev):

    • Project: Internal Apps
    • Redirect URIs: https://fit.reids.net.au/api/auth/callback/zitadel, http://localhost:3001/api/auth/callback/zitadel
    • Scopes: openid, profile, email, offline_access

8. Verification checklist

Use this to confirm the internal console configuration is complete:

  • Admin login works at https://auth.reids.net.au/ui/console with a non-default password.
  • SMTP provider added, test email to TEST_EMAIL_ADDRESS succeeds.
  • Admin account details updated and MFA enabled.
  • LDAP IdP nas configured and Test Connection finds uid=NAS_USERNAME with correct attributes.
  • Project Kubernetes Infrastructure exists with role cluster-admin.
  • LDAP group k8s-admins mapped to cluster-admin role.
  • Application kubernetes-api exists with correct redirect, scopes and secrets stored in password manager.
  • (Optional) Application entries created for kubernetes-dashboard, blaster-dev and fit-dev.