Ad Widget

**bcarvalho** · 07-04-2021, 00:38

Thank you for sharing, I've spent so many days to get this work properly... and you`re right if you run behind a proxy like IIS or NGINX reverse proxy you need to do some extas configs like editing utils.php.

**dimir** · 10-04-2021, 13:00

Olger please check inbox.

**bornslippy** · 15-04-2021, 21:15

I can't find any answer to this question and wondered if you had any success: Is it possible to populate the user email address in Zabbix from the mail claim upon login?

**Jason** · 01-07-2021, 15:32

I had to download the certificate from azure in pem and save it into the ui/conf/certs folder as idp.crt and add a claim for username as user.userprincipalname before it would work for me on zabbix 5.4

**johndoe2374** · 23-09-2021, 11:12

I've tried to set up everything like in OP's instructions with addition of using SAML certificate, and adding a claim for username attribute like in Jason's post. No luck. Microsoft's online login page authenticates me successfully, but after that Zabbix page appears, saying that I'm not logged in, because there's no permission to access the system and "username" parameter is missing from the user attributes. I've also tried different attributes like email, but result is the same - whichever parameter you use it's missing. I suspect you need to add something else in Azure Enterprise Application settings or somewhere else. Any Azure guru to enlighten us?

**Jason** · 23-09-2021, 12:03

I had to add an attribute in Azure AD. Under single sign on in User attributes and claims add username as user.userprincipalname and it should resolve it.

**Jason** · 23-09-2021, 12:27

The user exists in zabbix with their username the same as their userprincipalname?

**Jason** · 23-09-2021, 13:02

Are you still getting that error above? If so that's implying it's not able to match up the username you supply with that from azure. The username attribute needs to be username in the saml settings. Also make sure that the case senstive username checkbox is unticked. Check on the logs on the front end. Have you also downloaded the certificate from azure and placed that in the front end folder?

**johndoe2374** · 29-09-2021, 10:08

Here's Azure and Zabbix SAML settings. Also, here's strings form my access.log for nginx (error.log is empty) which appear in the authentication moment, but there's nothing interesting (IPs and zabbix URL are replaced):

Code:

x.x.x.x - - [29/Sep/2021:11:01:39 +0300] "GET /index_sso.php HTTP/2.0" 302 0 "https://zabbix.mycompany.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31" "-"
x.x.x.x - - [29/Sep/2021:11:01:44 +0300] "POST /jsrpc.php?output=json-rpc HTTP/2.0" 200 64 "https://zabbix.mycompany.com/zabbix.php?action=authentication.edit" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31" "-"
x.x.x.x - - [29/Sep/2021:11:01:44 +0300] "POST /jsrpc.php?output=json-rpc HTTP/2.0" 200 62 "https://zabbix.mycompany.com/zabbix.php?action=charts.view&view_as=showgraph&fi lter_search_type=0&filter_hostids%5B%5D=10449&filt er_set=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31" "-"
x.x.x.x - - [29/Sep/2021:11:01:46 +0300] "POST /jsrpc.php?output=json-rpc HTTP/2.0" 200 64 "https://zabbix.mycompany.com/zabbix.php?action=authentication.edit" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31" "-"

Attached Files

**Jason** · 29-09-2021, 14:34

On the user Attributes and Claims tab is there a "claim name" that is username with the value of user.userprincipalname without any of the https bit at the start? If not add one like in snip below and then try again.

**BalaC** · 25-01-2022, 12:33

Hi,
I Configured in the same way and getting the below issue: Any help on this?

You are not logged in

No permissions for system access.
SAML Response not found, Only supported HTTP_POST Binding

**BalaC** · 25-01-2022, 15:56

Thanks Jason, its already working.

**damianjyates** · 24-02-2022, 22:27

I am running into a similar problem. I renamed the cer file obtained from Azure EA saml-signon and placed it in the appropriate folder but now I receive the following error:

You are not logged in

No permissions for system access.
Invalid array settings: sp_certs_not_found_and_required, idp_cert_or_fingerprint_not_found_and_required

Files in directory for certs are as follows:

root@server:/usr/share/zabbix/conf/certs# ls -la
total 16
drwxr-xr-x 2 root root 4096 Feb 24 19:41 .
drwxr-xr-x 3 root root 4096 Feb 11 18:29 ..
-rw-r--r-- 1 root root 1092 Feb 24 19:41 idp.crt
-rw-r--r-- 1 root root 1092 Feb 24 19:31 Zabbix.cer

the cer file was originally downloaded from Azure. I renamed the file to idp.crt. restarted apache2 and still no change in state, same error received. what have I missed here?

**joostdeheer** · 25-02-2022, 14:28

Originally posted by damianjyates

I am running into a similar problem. I renamed the cer file obtained from Azure EA saml-signon and placed it in the appropriate folder but now I receive the following error:

You are not logged in

No permissions for system access.
Invalid array settings: sp_certs_not_found_and_required, idp_cert_or_fingerprint_not_found_and_required

Two possible reasons:

1. You have enabled one of the sign settings and didn't add a signing certificate.
2. The user the webserver runs as (perhaps www or wwwrun, check the webserver processes) doesn't have read access to the location with the certificates

To solve 1:

Create a certificate for signing on the web server:

openssl req -x509 -newkey rsa:4096 -keyout /usr/share/zabbix/conf/certs/request-sign.pem -out /usr/share/zabbix/conf/certs/request-sign.pem -sha256 -days 1825 -nodes

Fill in the certificate questions. For common name you can use anything, e.g. ‘SAML-Request-Signing’.

Protect the key file so that only the user that the webserver runs as has access to the certificate:

chown wwwrun /usr/share/zabbix/conf/certs/request-sign.key
chmod 400 /usr/share/zabbix/conf/certs/request-sign.key

Edit the web configuration file (/etc/zabbix/web/zabbix.conf.php if you're using the official packages) and point the settings $SSO[‘SP_KEY’] and $SSO[‘SP_CERT’] to the key and cert file:

$SSO[‘SP_KEY’] = ‘conf/certs/request-sign.key’;
$SSO[‘SP_CERT’] = ‘conf/certs/request-sign.crt’;

To solve 2: Allow the wwwrun user (or whatever user the webserver is using for its processes) access to the certificate file.

Ad Widget

Zabbix SAML with Azure AD

Zabbix SAML with Azure AD

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment