Ad Widget

Collapse

Issue setting up SAML with Azure AD

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • SkilledAlpaca
    Junior Member
    • May 2023
    • 24
    #1

    Issue setting up SAML with Azure AD

    Hello,
    We have the 6.4 Appliance deployed with Hyper-V. We have external access through https://zabbix.domain.com using nginx and local authentication works. I have gone through the guide SAML setup with Microsoft Azure AD, and I'm certain I'm near the end.

    The issue I'm running into is after successfully authenticating through Azure, I am greeted with the below error.
    The reply URL 'http://<internal server IP>/index_sso.php?acs' specified in the request does not match the reply URLs configured for the application 'https://zabbix.domain.com/zabbix/sp'. Make sure the reply URL sent in the request matches one added to your application in the Azure portal.​
    I have set the below line in the /usr/share/zabbix/conf/zabbix.conf.php file and restarted the appliance, but I still get the same error.
    Code:
    $SSO['SETTINGS'] = ['strict' => false, 'baseurl' => "https://zabbix.domain.com/", 'use_proxy_headers' => true];
    I'm not sure what else I can check. Please let me know if there is anything else I can provide to help!
    Tags: None
    • Answer selected by SkilledAlpaca at 20-12-2023, 21:26.
      SkilledAlpaca
      Junior Member
      • May 2023
      • 24
      I have made some progress and I believe I got it working finally.

      I ended up adding the below snippet into the /etc/zabbix/web/zabbix.conf.php configuration file. See screenshot.
      Code:
      $SSO['SETTINGS'] = ['strict' => false, 'baseurl' => "https://zabbix.domain.com/", 'use_proxy_headers' => true];
      I then got an error upon login: The parameter "user.userprincipalname" is missing from the user attributes.
      I went to the Entra Admin center and opened the applications SSO settings and added a new attribute.
      Name: username
      Source attribute: user.userprincipalname

      After testing SSO at this point I was given a blank page and no errors. Turns out I didn't add a role to the account and soon as I did that, everything started working.


      Michi hopefully this helps.
      Attached Files
        • Selected Answer

        Comment

        • SkilledAlpaca
          Junior Member
          • May 2023
          • 24
          #2
          Under Administration > General > Other > Frontend URL is set to htttps://zabbix.domain.com

          I've attached both my Azure and Zabbix SAML configurations, redacted of course.
          Attached Files

            Comment

            • Michi
              Junior Member
              • Aug 2023
              • 1
              #3
              Hi, we currently have the same problem. Did you found a solution for this?

              We also user Zabbix 6.4 but installed it ourself on an Ubuntu vm.

                Comment

                • SkilledAlpaca
                  Junior Member
                  • May 2023
                  • 24
                  #4
                  I unfortunately have not found a solution. I spent a bit more time researching and tried a few more parameters on our nginx config but nothing seemed to work.

                  One thing I did change was the Reply Address in Azure to match what the proxy is providing.
                  We have it on the proxy as https://zabbix.domain.com/ so we updated the reply URL and removed the /zabbix portion.

                  https://zabbix.domain.com/zabbix/index_sso.php?acs to https://zabbix.domain.com/index_sso.php?acs​

                  We still have the same error though unfortunately.

                    Comment

                    • SkilledAlpaca
                      Junior Member
                      • May 2023
                      • 24
                      #5
                      I have made some progress and I believe I got it working finally.

                      I ended up adding the below snippet into the /etc/zabbix/web/zabbix.conf.php configuration file. See screenshot.
                      Code:
                      $SSO['SETTINGS'] = ['strict' => false, 'baseurl' => "https://zabbix.domain.com/", 'use_proxy_headers' => true];
                      I then got an error upon login: The parameter "user.userprincipalname" is missing from the user attributes.
                      I went to the Entra Admin center and opened the applications SSO settings and added a new attribute.
                      Name: username
                      Source attribute: user.userprincipalname

                      After testing SSO at this point I was given a blank page and no errors. Turns out I didn't add a role to the account and soon as I did that, everything started working.


                      Michi hopefully this helps.
                      Attached Files
                        • Selected Answer

                        Comment

                        Previous template Next
                        Working...