How is Zabbix global login interceptor realized?

We want to integrate zabbix into another system in which SSO should be used,and we need to get the Zabbix global login interceptor modified.

thanks

One of the simplest ways is to set it to HTTP authentication and let the HTTP server do it.

I run Rancid, Netdisco and Zabbix together as a set. Each one is set up to trust the username as it comes from Apache, so someone can log into apache once, and access any of them. I use ldap in apache.

Doing that in each of these requires manual creation of the account in the product, since each product handles authorization separately (as opposed to authentication).

The back ends in apache are a lot more mature and various than zabbix has.

you said: Each one is set up to trust the username as it comes from Apache

Can you pls give more details?

thanks

In Zabbix if you choose HTTP authentication, what it really means is that Zabbix takes the username passed in from apache. So if you require an authenticated user in apache (by any technique - ldap, local database, etc.) that username (case sensitively) is passed into zabbix as though already logged in.

You must set that user up in the user list in zabbix (password in zabbix is irrelevant in this case). And in zabbix you must associate it with the appropriate user groups so zabbix knows what permission it has.

Each product I mentioned has a similar setting, allowing it to trust the web server in use for authentication.

Then when a user hits the web page for the first time, the web server (not zabbix) will demand authentication, the user logs in; apache (or whatever) passes that username on to zabbix and because you have http authentication set in zabbix it trusts it and does not prompt for a password.

You said that the web server (not zabbix) will demand authentication,can you pls let me know how can a web server using a SSO login to authenticate?for example,we have a SSO server: loginsso.aaa.com,then what should I do?


thanks

Maybe I misunderstood what you meant,

you said you used APACHE to realize SSO,but in fact we have another SSO server,then what should we do?

SSO is not a type of authentication but just saying that different authentication providers get linked to one source of the authentication. Apache allows you to specify different providers. While it is possible to let it do the authentication itself, more often it is handed off to some other provider. For us that was LDAP. Here's a snippit from that handoff from the 000-default.conf file's virtualhost definition:

This actually provides for two mechanisms, one is LDAP against a windows domain, the other is fall thru to a on-apache database you would create manually say to allow Admin in (if LDAP is down for some reason).

Apache will present the popup screen to demand credentials (With the prompt at "AuthName"), but all it does is pass it off the username and password to the authentication provider ("AuthBasicProvider"), which does the work to query ldap and compare. No apache code was needed to tie this to zabbix (well, except the above), because it is all built in. This set also checks to see if a specific windows group is present for the user (XX/YY/whatever/group_allowed_in) before allowing the user access. AuthLDAPBindDN and password are the windows user which is allowed to read the ldap directory. The "Require valid-user" keeps anyone from using this location without logging in, and passes that logged in user in to the request as seen by zabbix, which it then loads from its user database (without checking password) and gets the authorizations for that user (groups, etc.).

Your SSO, whatever mechanism it is, would link in similarly, assuming there is a canned version. Some of the canned versions are here, and I am sure there are a lot of add-on versions.

Now if your "sso" that you log in through requires the user to actually go to that page (as opposed to having an API compatible with apache), you need to dig behind the scenes and find out how to integrate it with a web site. Any sso that is any good is going to provide a variety of mechanisms to connect to web applications, otherwise the "single" aspect of it is pretty pointless. These kind of integrations are very common; check with whoever manages that aspect in your infrastructure. It's not a zabbix thing at all, it is a web server to authentication provider thing.
In Zabbix it's just a check box that says "trust the web server".