SAML single-logout "Missing Status"
Hi all,
Been running into an issue with SAML in Zabbix. I have a Zabbix Server 5.4.3 instance, running on Ubuntu 20.04 LTS in an LXC container. I've been trying to fully integrate Zabbix with my Keycloak server, and 90% of it works. Logging in works perfectly, no issues at all, but the 10% is single-logout, which does in fact log me out of the Keycloak realm, but throws an error once it returns to Zabbix. Specifically, when I hit "Sign out" in Zabbix, this redirects me to the Keycloak single-logout URL, which logs me out, then redirects back to Zabbix with a SAML document indicating the success of the operation. Unfortunately, upon receiving this, Zabbix displays the error "Missing Status on response". This error message comes from the PHP-SAML library Zabbix uses (direct link). This error is thrown when the SAML document is missing the assertion for "Status". I decoded the SAML document returned by Keycloak, and noticed that while PHP-SAML looks for this in the XPATH
, the document from Keycloak instead has the path
. I'm not sure if this is the issue, I tried looking for a way to change this in KC, but found nothing. Any ideas for further debugging or potential solutions, either with Keycloak, PHP-SAML, or Zabbix?
The error I get when SLO completes:
Zabbix SAML configuration:
Keycloak SLO endpoint configuration:
Been running into an issue with SAML in Zabbix. I have a Zabbix Server 5.4.3 instance, running on Ubuntu 20.04 LTS in an LXC container. I've been trying to fully integrate Zabbix with my Keycloak server, and 90% of it works. Logging in works perfectly, no issues at all, but the 10% is single-logout, which does in fact log me out of the Keycloak realm, but throws an error once it returns to Zabbix. Specifically, when I hit "Sign out" in Zabbix, this redirects me to the Keycloak single-logout URL, which logs me out, then redirects back to Zabbix with a SAML document indicating the success of the operation. Unfortunately, upon receiving this, Zabbix displays the error "Missing Status on response". This error message comes from the PHP-SAML library Zabbix uses (direct link). This error is thrown when the SAML document is missing the assertion for "Status". I decoded the SAML document returned by Keycloak, and noticed that while PHP-SAML looks for this in the XPATH
Code:
/samlp:Response/samlp:Status
Code:
/samlp:LogoutResponse/samlp:Status
The error I get when SLO completes:
Zabbix SAML configuration:
Keycloak SLO endpoint configuration:
Comment