Ad Widget

Collapse

Zabbix SAML issue

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Gblaze56
    Junior Member
    • Nov 2020
    • 6
    #1

    Zabbix SAML issue

    Hello all,

    I was wondering if anyone else had issue trying to use saml with AWS SSO? in this case i am receiving the following error .

    You are not logged in
    • No permissions for system access.
    • Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd


    This is when I click on the link in AWS SSO portal.

    Any assistance would be appreciated!
    Attached Files
    Tags: None
    • LenR
      Senior Member
      • Sep 2009
      • 1005
      #2
      Did you create the user in Zabbix first?

        Comment

        • Gblaze56
          #2.1
          Gblaze56 commented
          20-12-2020, 17:27
          Editing a comment
          yes the users have all been created in Zabbix.
        • LenR
          Senior Member
          • Sep 2009
          • 1005
          #3
          I think the first error is the result of the second. I searched for "Not match the saml-schema-protocol-2.0.xsd" and it seems the consensus is that it can be several different things, problems with signing assertions, not including any user attributes. You may just have to work thru those things one by one.

            Comment

            • Gblaze56
              #3.1
              Gblaze56 commented
              21-12-2020, 03:49
              Editing a comment
              Thanks i did the same, what I was hoping for was a some places to start, I looked at auth.log zabbix-server .logs and didn't see anything to help.
            • Gblaze56
              Junior Member
              • Nov 2020
              • 6
              #4
              So is there a list of Username Attributes that Zabbix uses?

                Comment

                • LenR
                  Senior Member
                  • Sep 2009
                  • 1005
                  #5
                  Username Attribute, which I think must match the user you predefine to Zabbix

                  https://www.zabbix.com/forum/zabbix-...-5-0-guideline

                  But the name of that field depends on your SAML environment. Note in that link one user had "uid", another had "Alias" and we use sAmAccountName, case matters and that probably isn't right, I didn't go look.
                  Last edited by LenR; 21-12-2020, 21:23.

                    Comment

                    • Gblaze56
                      #5.1
                      Gblaze56 commented
                      22-12-2020, 00:03
                      Editing a comment
                      I tried all of those as well , what's hampering me is the lack of logging, i can't really see what the issue is as the error messages are vague at best.
                    • LenR
                      Senior Member
                      • Sep 2009
                      • 1005
                      #6
                      I think the logs you need are on the isp as would the knowledge of the user attribute field name.

                        Comment

                        • Gblaze56
                          #6.1
                          Gblaze56 commented
                          22-12-2020, 22:05
                          Editing a comment
                          Tried those nothing in them worthwhile
                        • Gblaze56
                          Junior Member
                          • Nov 2020
                          • 6
                          #7
                          Through sheer luck i was able to get it working by creating a sp-metadata file and creating user attributes that were set to use email. And as well setting up index_sso.php to work with sso.

                            Comment

                            • aalmeidaaccelaero
                              Junior Member
                              • Apr 2021
                              • 1
                              #8
                              hi Can you share your steps and let me know what steps you took to get his resolved

                                Comment

                                • Jason
                                  Senior Member
                                  • Nov 2007
                                  • 430
                                  #9
                                  In order to get this to work I needed to download the certificate (from azure) in pem format and put in idp.crt in the ui/conf/certs folder and define an additional attribute under username and claims called username that mapped to user.userprincipalname

                                    Comment

                                    • mfuk
                                      Junior Member
                                      • Jul 2023
                                      • 16
                                      #10
                                      Hi Gblaze56 I have the same problem.
                                      Could I ask you share your configuration please?

                                      and in particular:
                                      Code:
                                      vim /usr/share/zabbix/conf/zabbix.conf.php
$SSO['SP_KEY'] = '/etc/ldap/ssl/key.pem';
$SSO['SP_CERT'] = '/etc/ldap/ssl/cert.pem';
$SSO['IDP_CERT'] = '/etc/ldap/ssl/idp.crt';
$SSO['SETTINGS'] = [];
                                      and the config in the Zabbix GUI for SAML Settings:
                                      Code:
                                      [LIST][*]Enable SAML authentication[*]IdP entity ID[*]SSO service URL[*]SLO service URL[*]Username attribute[*]SP entity ID[*]SP name ID format[*]Sign[LIST][*]Messages[*]Assertions[*]AuthN requests[*]Logout requests[*]Logout responses[/LIST][*]Encrypt[LIST][*]Name ID[*]Assertions[/LIST][*]Case-sensitive login[/LIST]​
                                      Thanks a lot for your help.

                                        Comment

                                        Previous template Next
                                        Working...