See my Post, had the same issue,

https://www.zabbix.com/forum/zabbix-...l-meatdata-url

All-
We are trying to setup the ADFS suing SAML and redirecting (relying trust) to our new Zabbix 5.0 server (RHEL 8). For some reason, I am getting "Error details: Invalid URI: The format of the URI could not be determined" errors when trying a bunch of different claims. Does anyone have the claims that we need to pass? Ideally we want the logged in user (windows account, using SAMAccountName) to pass through and that should match up with the Alias attribute in Zabbix. Or even something that just works. I get redirected to the ADFS server and the SAML appended URL and only have this in the logs.



Exception details:
System.UriFormatException: Invalid URI: The format of the URI could not be determined.
at System.Uri.CreateThis(String uri, Boolean dontEscape, ​​​UriKind uriKind)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlSi gnInContext.ValidateCore()
at Microsoft.IdentityServer.Web.Protocols.ProtocolCon text.Validate()
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlPr otocolHandler.GetRequiredPipelineBehaviors(Protoco lContext pContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListen er.OnGetContext(WrappedHttpListenerContext context)

Any help is much appreciated.

Hi,
I haven't found any post so far where some one explains how to get AzureAD-SSO working with Zabbix. After a lot of sweat and tears I managed to get it working, so I'll post it here - as it is the first result on google when you search Azure AD SSO Zabbix:
1. Make your Zabbix-Frontend work with SSL, if you haven't done so
2. Create a new Enterprise-App in Azure. Entitiy-ID https://zabbix.yourcompany.org - Reply-URL: https://zabbix.yourcompany.org/index_sso.php
3. Download the Federation-Metadata XML from Azure, open it in a text-editor and search for the x509 certificate (appears 3 times in the XML - do NOT download and use the certificate the Azure offers you for direct download)
4. Create a file (/usr/share/zabbix/)conf/certs/idp.crt and insert the certificate as one single string without any "begin certificate" or line breaks or any other stuff
5. (May be optional - but I did it): create a personal certificate and private key and put it in the same directory as sp.crt and sp.key (I linked the letsencrypt cert and key I also use for SSL... potentially not the best idea in hyper-secure environments)
6. (May also be optional): uncomment the SSO part in /usr/share/zabbix/conf/zabbix.conf.php
7. Login in Zabbix-FE, goto Administration, Authentication, SAML. Map the values from Azure -> Zabbix:
-- Azure AD Identifier -> IdP Entity ID (https://sts.windows.net...)
-- Azure Login URL -> SSO service URL (https://login.microsoftonline.com...)
-- Claim name from Azure -> Username attribute (that one is tricky... zabbix will search for the internal technical name. Azure will show you these when you edit your claims. Eg: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" is the userprinicipalname (aka UPN, aka: Mailaddress in most scenarios)
-- Identifier -> SP entity ID (https://zabbix.yourcompany.org in this example)
8. Create a new user with the right field from Azure as Username (UPN/Mail)
9. Don't forget to grant your user access-rights in Azure, if you have set User assignment required (default)
10. Login with SSO and have a pint of beer