Pangolin Identity Provider config
I am trying to add zitadel as IdP in Pangolin. I can get it to work without having any organization policy assigned but when the user logs in, there is no org assigned in pangolin. However, when I try to request roles in the openid scopes and then write a JMESPath as below for org policy:
contains(urn:zitadel:iam:org:projects:roles, 'Admin') && 'Admin' contains(urn:zitadel:iam:org:projects:roles, 'Family') && 'Family' 'Member'
The login method does not work. I have created Family and Admin Roles in zitadel and assigned it to the only user currently on zitadel. But still roles dont show up in the openid scope. How do I manage to set it ?
1 Reply
This is the error message displayed if i use roles in org policy check. For example, open id token has below attributes as takenn from pangolin : {
...
"sub": "9590c3bfccd1b1a54b35845fb1bb950057dfa50fba43cb8bada58b462c80e207",
"aud": "JJoSvHCZcxnXT2sn6CObj6a21MuKNRXs3kN5wbys",
"exp": 1745790819,
"iat": 1745789019,
"auth_time": 1745789019,
"email": "user@example.com",
"email_verified": true,
"name": "Example User",
"groups": [
"home-lab",
"admin"
]
}
My authentik instance provides all these. Zitadel does not seem to provide groups as an attribute. neither does it have roles as oidc attribute. How do I real roles from pangolin when setting up oidc connect please ?
