Ad Widget

**tim.mooney** · 03-12-2021, 01:31

This is just a wild guess, but does it make a difference if you use https (instead of http) for both the Okta IdP and the Zabbix return URL?

**bagahe** · 03-12-2021, 01:43

Hi Tim,

Thanks for the feedback. I tried with https on the Okta IdP and got the same result. The redirected url is the same one; which is still not found and is already on https.

Best Regards,

**tim.mooney** · 03-12-2021, 21:57

Ok, thanks for testing that. PHP sometimes does some "magical" things in the name of security if it believes the connection is not secure, so I wanted to rule out that it wasn't something related to PHP stripping something out because it detected part of the process was over an insecure connection.

Are you using Apache httpd or nginx as the web server? Can you increase the log level for URL handling, including proxying, to see if there's a clue in there about why this isn't working?

**bagahe** · 10-12-2021, 13:26

Hi Tim,

Thanks for your support and apologies for the delay.

We are using Apache httpd. We are not running it behind a proxy. I did the whole SSO authentication process, including the notification from OKTA and here are the logs from the webserver, where you can see the 404 and 302 issues:

Which is pretty much the same info we get from Chrome's Network Console:

Is there any other information from my side that can help debug this topic?

Best Regards.

**tim.mooney** · 10-12-2021, 19:02

When you say you're not proxying, do you mean you're using mod_php7 rather than a PHP-FPM worker pool for PHP?

If you remove the "?acs" from the URL that's configured, does Okta get a different HTTP response?

**bagahe** · 14-12-2021, 13:04

Hi Tim,

No, we are using PHP-FPM, I meant that the the service is not running behind a reverse proxy or anything like that.

/ui/index_sso.php is also giving a 404:

**Steve.B** · 14-12-2021, 17:29

Have you setup a DNS entry for mps-zabbix.monolithicpower.com?? the subdomain does not resolve for me.

**bagahe** · 14-12-2021, 17:34

Hi Steve,

Yes, it´s definitely reachable from the internal network:

Best Regards,

**Steve.B** · 14-12-2021, 17:48

Guessed it might be an internal lookup only

got to be carefulthese days lol

Looking at the URL in the screenshot, you're trying to go to mps-zabbix.monolithicpower.com/ui/index_sso.php. Looking at my zabbix install the ui directory doesn't exist and the index_sso.php in the / dir so mps-zabbix.monolithicpower.com/index_sso.php with our the ui sub folder.

Originally posted by bagahe

Hi Tim,

No, we are using PHP-FPM, I meant that the the service is not running behind a reverse proxy or anything like that.

/ui/index_sso.php is also giving a 404:

**bagahe** · 14-12-2021, 18:52

Hi Steve,

I´ve changed things to match the documentation and it looks like I have some progress, but still stuck on URL redirection after OKTA authentication:

These are the settings I have on OKTA SAML:

Thank you very much for your help so far.

Best Regards,

**Steve.B** · 14-12-2021, 18:57

TBH I've not used any SAML soloutions "yet" is there any settings withing OKTA? the error message seems to points that http is being returned to instead of https.

**bagahe** · 14-12-2021, 22:05

So, after some digging, I've fixed the issue.

Here's the solution: Set BaseURL for SAML authentication when behind a reverse-proxy · Issue #614 · zabbix/zabbix-docker (github.com)

Even if you are not using it on a docker container and doing it on /etc/zabbix/web/zabbix conf file, these are the settings that you have to add in order to get it working.
ZBX_SSO_SETTINGS={"strict":false, "baseURL":"https://<fqdn>/", "use_proxy_headers":true}

Leaving this here in case someone else finds this on google or digging though the forums.

Ad Widget

Zabbix - OKTA SAML wrong redirect

Zabbix - OKTA SAML wrong redirect

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment