Ad Widget

Collapse

SSO setup failed lost local login

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • pbowler
    Junior Member
    • Feb 2026
    • 3
    #1

    SSO setup failed lost local login

    Howdy,
    Zabbix 7.4 on Debian 13.1
    11.8.3-MariaDB-0+deb13u1
    Tried to setup SSO via Entra (we have this working with many applications already) following the official instructions for Entra SSO and it failed with the error "Invalid array settings: idp_cert_or_fingerprint_not_found_and_required"

    I found thread about this here which also addresses an issue I found with the reference to not being able to find the conf/certs folder as vaguely described in the otherwise excellent instructions.
    The fix in that thread seems oddly sledge hammerish, copying an entire directory structure to \usr\zabbix\ui (or something).
    obviously copying file structures in Linux is super easy but I find it hard to believe that the current version of Zabbix on Debian requires this weird work around to use Entra SSO
    am I mising something?

    I was able to change the configuration and database via SSH to get the local login working but I assume I made a mistake that turned off local authentication, I assume it should be able to do both, though maybe not.

    Any tips on proceeding with getting Zabbix to SSO with entra?
    I have a snapshot of my working state so I plan on trying the instructions again but I'm wondering if there is aknown 'gotcha' to this process.
    Thanks!!
    Tags: None
    • Answer selected by pbowler at Yesterday, 16:47.
      pbowler
      Junior Member
      • Feb 2026
      • 3
      OK, fixed.
      Maybe obvious stuff here, though my question did not elicit a peep from this community, but adding for Internet Posterity.

      1. Local Login: make sure "local" is the default login in the Zabbix GUI, once you start to implement integrated login mechanisms, local seems to stop working if it's not the default login, and another login type exists, irrespective of if that method works or not

      2. The Instructions for Apache2 on Debian never mention configuring HTTPS, but your server will need to be communicating via https in order to leverage Entra SSO, just use a Self Signed cert.

      3. The Instructions for Entra include the cert downloaded from Entra but are vague on the location. additionally all 3 certs listed in that section of the config file are required, I put them in the same directory structure as the UI and had to create folders for the certs. These certs are referenced in the Authentication Request signing, which looked optional to me, but Entra required it.

      BONUS: if your 365 Tennant contains multiple primary SMTP domains, or if you are in hybrid mode, your admin may have setup UPN to be the unique identifier instead of email, the instructions assume email, I had to may user.email to UPN

      I will say Zabbix is awesome and does exaclt what I need, the setup is generally very easy and the documentation is almost perfect.
      Last edited by pbowler; Yesterday, 16:42.
        • Selected Answer

        Comment

        • pbowler
          Junior Member
          • Feb 2026
          • 3
          #2
          Bummer, I had high hopes for Zabbix

            Comment

            • pbowler
              Junior Member
              • Feb 2026
              • 3
              #3
              OK, fixed.
              Maybe obvious stuff here, though my question did not elicit a peep from this community, but adding for Internet Posterity.

              1. Local Login: make sure "local" is the default login in the Zabbix GUI, once you start to implement integrated login mechanisms, local seems to stop working if it's not the default login, and another login type exists, irrespective of if that method works or not

              2. The Instructions for Apache2 on Debian never mention configuring HTTPS, but your server will need to be communicating via https in order to leverage Entra SSO, just use a Self Signed cert.

              3. The Instructions for Entra include the cert downloaded from Entra but are vague on the location. additionally all 3 certs listed in that section of the config file are required, I put them in the same directory structure as the UI and had to create folders for the certs. These certs are referenced in the Authentication Request signing, which looked optional to me, but Entra required it.

              BONUS: if your 365 Tennant contains multiple primary SMTP domains, or if you are in hybrid mode, your admin may have setup UPN to be the unique identifier instead of email, the instructions assume email, I had to may user.email to UPN

              I will say Zabbix is awesome and does exaclt what I need, the setup is generally very easy and the documentation is almost perfect.
              Last edited by pbowler; Yesterday, 16:42.
                • Selected Answer

                Comment

                Previous template Next
                Working...