In Administration → Authentication the global user authentication method to Zabbix can be specified. The available methods are internal, HTTP, LDAP and SAML authentication.
Note that the authentication method can be fine-tuned on the user group level.
By default, internal Zabbix authentication is used globally. To change:
When done, click on Update at the bottom of the form.
HTTP or web server-based authentication (for example: Basic Authentication, NTLM/Kerberos) can be used to check user names and passwords. Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.
Configuration parameters:
Parameter | Description |
---|---|
Enable HTTP authentication | Mark the checkbox to enable HTTP authentication. |
Default login form | Specify whether to direct non-authenticated users to: Zabbix login form - standard Zabbix login page. HTTP login form - HTTP login page. It is recommended to enable web-server based authentication for the index_http.php page only. If Default login form is set to 'HTTP login page' the user will be logged in automatically if web server authentication module will set valid user login in the $_SERVER variable.Supported $_SERVER keys are PHP_AUTH_USER , REMOTE_USER , AUTH_USER . |
Remove domain name | A comma-delimited list of domain names that should be removed from the username. E.g. comp,any - if username is '[email protected]', 'comp\Admin', user will be logged in as 'Admin'; if username is 'notacompany\Admin', login will be denied. |
Case sensitive login | Unmark the checkbox to disable case-sensitive login (enabled by default) for usernames. E.g. disable case-sensitive login and log in with, for example, 'ADMIN' user even if the Zabbix user is 'Admin'. Note that with case-sensitive login disabled the login will be denied if multiple users exist in Zabbix database with similar alias (e.g. Admin, admin). |
ErrorDocument 401 /index.php?form=default
line to basic authentication directives, which will redirect to the regular Zabbix login form.
External LDAP authentication can be used to check user names and passwords. Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.
While LDAP authentication is set globally, some user groups can still be authenticated by Zabbix. These groups must have frontend access set to Internal. Vice versa, if internal authentication is used globally, LDAP authentication details can be specified and used for specific user groups whose frontend access is set to LDAP.
Zabbix LDAP authentication works at least with Microsoft Active Directory and OpenLDAP.
Configuration parameters:
Parameter | Description |
---|---|
Enable LDAP authentication | Mark the checkbox to enable LDAP authentication. |
LDAP host | Name of LDAP server. For example: ldap://ldap.zabbix.com For secure LDAP server use ldaps protocol. ldaps://ldap.zabbix.com With OpenLDAP 2.x.x and later, a full LDAP URI of the form ldap://hostname:port or ldaps://hostname:port may be used. |
Port | Port of LDAP server. Default is 389. For secure LDAP connection port number is normally 636. Not used when using full LDAP URIs. |
Base DN | Base path to search accounts: ou=Users,ou=system (for OpenLDAP), DC=company,DC=com (for Microsoft Active Directory) |
Search attribute | LDAP account attribute used for search: uid (for OpenLDAP), sAMAccountName (for Microsoft Active Directory) |
Bind DN | LDAP account for binding and searching over the LDAP server, examples: uid=ldap_search,ou=system (for OpenLDAP), CN=ldap_search,OU=user_group,DC=company,DC=com (for Microsoft Active Directory) Anonymous binding is also supported. |
Case-sensitive login | Unmark the checkbox to disable case-sensitive login (enabled by default) for usernames. E.g. disable case-sensitive login and log in with, for example, 'ADMIN' user even if the Zabbix user is 'Admin'. Note that with case-sensitive login disabled the login will be denied if multiple users exist in Zabbix database with similar alias (e.g. Admin, admin). |
Bind password | LDAP password of the account for binding and searching over the LDAP server. |
Test authentication | Header of a section for testing |
Login | Name of a test user (which is currently logged in the Zabbix frontend). This user name must exist in the LDAP server. Zabbix will not activate LDAP authentication if it is unable to authenticate the test user. |
User password | LDAP password of the test user. |
TLS_REQCERT allow
line to the /etc/openldap/ldap.conf configuration file. It may decrease the security of connection to the LDAP catalog.
SAML 2.0 authentication can be used to sign in to Zabbix. Note that a user must exist in Zabbix, however, its Zabbix password will not be used. If authentication is successful, then Zabbix will match a local username (alias) with the username attribute returned by SAML.
In order to work with Zabbix, a SAML identity provider (onelogin.com, auth0.com, okta.com, etc.) needs to be configured in the following way:
<path_to_zabbix_ui>/index_sso.php?acs
<path_to_zabbix_ui>/index_sso.php?sls
<path_to_zabbix_ui>
examples: https://example.com/zabbix/ui, http://another.example.com/zabbix, http://<any_public_ip_address>/zabbix
To use SAML authentication Zabbix should be configured in the following way:
1. Private key and certificate should be stored in the ui/conf/certs/, unless custom paths are provided in zabbix.conf.php.
By default, Zabbix will look in the folowing locations:
2. All of the most important settings can be configured in the Zabbix frontend. However, it is possible to specify additional settings in the configuration file.
Configuration parameters, available in the Zabbix frontend:
Parameter | Description |
---|---|
Enable SAML authentication | Mark the checkbox to enable SAML authentication. |
IDP entity ID | The unique identifier of SAML identity provider. |
SSO service URL | The URL users will be redirected to when logging in. |
SLO Service URL | The URL users will be redirected to when logging out. If left empty, the SLO service will not be used. |
Username attribute | SAML attribute to be used as a username when logging into Zabbix. List of supported values is determined by the identity provider. Examples: uid userprincipalname samaccountname username userusername urn:oid:0.9.2342.19200300.100.1.1 urn:oid:1.3.6.1.4.1.5923.1.1.1.13 urn:oid:0.9.2342.19200300.100.1.44 |
SP entity ID | The unique identifier of SAML service provider. |
SP name ID format | Defines which name identifier format should be used. Examples: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:entity |
Sign | Mark the checkboxes to select entities for which SAML signature should be enabled: Messages Assertions AuthN requests Logout requests Logout responses |
Encrypt | Mark the checkboxes to select entities for which SAML encryption should be enabled: Assertions Name ID |
Case-sensitive login | Mark the checkbox to enable case-sensitive login (disabled by default) for usernames. E.g. disable case-sensitive login and log in with, for example, 'ADMIN' user even if the Zabbix user is 'Admin'. Note that with case-sensitive login disabled the login will be denied if multiple users exist in Zabbix database with similar alias (e.g. Admin, admin). |
Additional SAML parameters can be configured in the Zabbix frontend configuration file (zabbix.conf.php):
Only the following options can be set as part of $SSO['SETTINGS']:
All other options will be taken from the database and cannot be overridden. The debug option will be ignored.
Configuration example:
$SSO['SETTINGS'] = [ 'security' => [ 'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#sha384', // ... ], // ... ];