Ad Widget

**martins_ms** · 04-01-2024, 08:27

I don't think you get me. So we use Azure AD, when you hit login with SAML it asks e-mail and password. Everything works great. But if someone is tired of passwords, you could enable phone sign-in in your phone app. There is no addition configuration required in Azure side. But at zabbix, it is different story.
Actualy I did figure it out. You need to change one setting in /usr/share/zabbix/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php file, you need to change PasswordProtectedTransport to unspecified (urn

asis:names:tc:SAML:2.0:ac:classes:unspecified), now everything works great.
Would be nice if this would be somewhere in documentation and you could change this at zabbix.conf.php
I tested this on 6.0, 6.4 and 7.0

**MRedbourne** · 04-01-2024, 05:53

Hey Mate,

We use SAML/SSO for Zabbix (through Azure) which works a-ok. You said, "Microsoft Authenticator App," I'm assuming you're using Entra ID (Azure Active Directory) as the IdP (Identity Provider)? What Zabbix version are you using? Specify the full version (Eg: 6.4.10), your OS and your web front end software (nginx, apache, etc).

This sounds more like a CAP (Conditional Access Policy) or Authentication issue with Azure, not with Zabbix. Have you looked at your conditional access policies and search for your Zabbix app? Are any of the policies failing (blocking) your access? Does it return an actual error code?

Yes, you need to enable some SSO settings in /etc/zabbix/web/zabbix.conf.php. See attached. You get the certificate from your enterprise app. Download the B64 (base 64) version. Linux doesn't do well with the binary version. See attached.

Attached Files

**martins_ms** · 04-01-2024, 08:27

I don't think you get me. So we use Azure AD, when you hit login with SAML it asks e-mail and password. Everything works great. But if someone is tired of passwords, you could enable phone sign-in in your phone app. There is no addition configuration required in Azure side. But at zabbix, it is different story.
Actualy I did figure it out. You need to change one setting in /usr/share/zabbix/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php file, you need to change PasswordProtectedTransport to unspecified (urn

asis:names:tc:SAML:2.0:ac:classes:unspecified), now everything works great.
Would be nice if this would be somewhere in documentation and you could change this at zabbix.conf.php
I tested this on 6.0, 6.4 and 7.0

**Enz0man** · 31-05-2024, 17:12

Originally posted by martins_ms

I don't think you get me. So we use Azure AD, when you hit login with SAML it asks e-mail and password. Everything works great. But if someone is tired of passwords, you could enable phone sign-in in your phone app. There is no addition configuration required in Azure side. But at zabbix, it is different story.
Actualy I did figure it out. You need to change one setting in /usr/share/zabbix/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php file, you need to change PasswordProtectedTransport to unspecified (urn

asis:names:tc:SAML:2.0:ac:classes:unspecified), now everything works great.
Would be nice if this would be somewhere in documentation and you could change this at zabbix.conf.php
I tested this on 6.0, 6.4 and 7.0

Thank you so much!!! I have been struggling with this for a while and I couldn't find any information about this specific problem. This fixed it right away. Thanks again

**mjunek** · 03-06-2024, 01:34

Thanks martins_ms - We have the same issue when using either Windows login with Biometrics for SSO or Passwordless with M365.
We have been advising staff to use a private window and forcing password-based login to M365 rather than SSO, which is less than ideal.
I will test this modification out and if it's all good I'll raise a pull request to get it modified in the code base.

**JoshCarswell** · 18-05-2025, 14:50

After some investigation I though I would post the correct answer to this issue, which does not require modifying any source code. The section that martin_ms referred to is part of an optional block that can easily be disabled, or modified appropriately. Simply said, the correct solution to this is to add the following to zabbix.conf.php

PHP Code:


$SSO['SETTINGS'] = [
    'security' => [
        'requestedAuthnContext' => [
            'urn:oasis:names:tc:SAML:2.0:ac:classes:X509',
        ],
    ]
];

I did play around with this a bit as 'requestedAuthnContext' is supposed to take an array, which would allow both X509 and password authentication to function but I could not get this to function. If you do need this to support more than Passwordless sign in you have two option that I can confirm work, either use Unspecified as suggested in previously or set 'requestedAuthnContext' to false instead of providing an array.

Reference:
Zabbix Documentation https://www.zabbix.com/documentation...anced-settings
OneLogin Settings https://github.com/SAML-Toolkits/php...ntent-settings
Microsoft SAML documentation https://learn.microsoft.com/en-us/en...edauthncontext

Ad Widget

Zaabix SAML Sign in problem

Zaabix SAML Sign in problem

Comment

Comment

Comment

Comment

Comment

Comment