Ad Widget

Collapse

Solution to Azure SAML - Please rectify in code

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Mallen
    Junior Member
    • Dec 2019
    • 3
    #1

    Solution to Azure SAML - Please rectify in code

    Hi guys,

    For a long time now Zabbix has had an issue with SAML when using Azure. This issue only seems to accur when using MS Edge if you are logged in to the same Microsoft account with Edge Profile. Issue relating to requestedAuthnContext. If I ling via Inprivate or a different profile in Edge, there is no issues.

    There was an easy solution in Zabbix 5.x that seems to have been broken in 6 and 6.2. In 5 I added
    Code:
    $SSO['SETTINGS'] = ['requestedAuthnContext' => false];
    to /etc/zabbix/web/zabbix.conf.php. V6 this doesn't seem to do anything.

    Now in v6.2 I change in file /usr/share/zabbix/vendor/onelogin/php-saml/src/Saml2/Settings.php:

    Code:
    if (!isset($this->_security['requestedAuthnContext'])) {
$this->_security['requestedAuthnContext'] = true;
}
    to:
    Code:
    if (!isset($this->_security['requestedAuthnContext'])) {
$this->_security['requestedAuthnContext'] = false;
}
    This fixes the issue, but I think this file is not protected from upgrades as I have had to change a few times.

    Would be awesome to add a tickbox to the SAML settings that disabled this setting and protected against upgrades. ​​​
    Tags: None
      👍 1
    • Markku
      Senior Member
      Zabbix Certified SpecialistZabbix Certified ProfessionalZabbix Certified Expert
      • Sep 2018
      • 1781
      #2
      See this post, there the syntax of the PHP code is different: https://www.zabbix.com/forum/zabbix-...802#post437802

      $SSO['SETTINGS'] = [
      'security' => [
      'requestedAuthnContext' => false
      ]
      ];​

      Markku
      Last edited by Markku; 08-11-2022, 07:29. Reason: Included the code in this post as well

        Comment

        • Mallen
          Junior Member
          • Dec 2019
          • 3
          #3
          This appears to solve the issue. Thanks for that. Would be good if a checkbox in GUI but as long as there is a permanent solution, its not really a priority. Thanks again.

            Comment

            • drwolcot
              Junior Member
              • Aug 2023
              • 1
              #4
              I am still running into this issue. I am running zabbix in docker and modified the .env_web file for the variable ZBX_SS_SETTINGS

              The only modification I have made to this is for the security fields.

              Code:
              ZBX_SSO_SETTINGS={{"strict":false, "baseurl":"https://zabbix.domain.com/", "use_proxy_headers":true, "security":{"requestedAuthnContext":"false"}}


              I am now getting this login error
              [CODE]AADSTS7500524: No saml:AuthnContextClassRef or saml:AuthnContextDeclRefs elements were found within samlp:RequestedAuthnContext.[CODE]

                Comment

                • Neelan29
                  Junior Member
                  • Jul 2024
                  • 2
                  #5
                  drwolcot were you able to solve the error ^^ ??

                  Im running into same error. using docker 6.4. Trying to integrate fido auth.

                  Code:
                  AADSTS7500524: No saml:AuthnContextClassRef or saml:AuthnContextDeclRefs elements were found within samlp:RequestedAuthnContext
                  Tried :

                  Code:
                  ZBX_SSO_SETTINGS={{"strict":false, "baseurl":"https://zabbix.domain.com/", "use_proxy_headers":true, "security":{"requestedAuthnContext":"false"}}
                  Code:
                  ZBX_SSO_SETTINGS={{"strict":false, "baseurl":"https://zabbix.domain.com/", "use_proxy_headers":true, "security":{"requestedAuthnContext":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}}

                    Comment

                    • Neelan29
                      Junior Member
                      • Jul 2024
                      • 2
                      #6
                      solved.

                      workaround -> edit file

                      Code:
                      vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php
                      replace

                      Code:
                      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                      with

                      Code:
                      urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

                        Comment

                        • anslu
                          Member
                          • Aug 2023
                          • 30
                          #7
                          No luck with version 7. Anyone has found a workaround?

                            Comment

                            • rsokolovs
                              Junior Member
                              • Nov 2024
                              • 4
                              #8
                              Had this isse with Zabbix 7.0.6 and resolved in /etc/zabbix/web/zabbix.conf.php file with:
                              Code:
                              $SSO['SETTINGS'] = [
    'security' => [
        'requestedAuthnContext' => false
    ],
];
                                🥰 2

                                Comment

                                • anslu
                                  Member
                                  • Aug 2023
                                  • 30
                                  #9
                                  Originally posted by rsokolovs
                                  Had this isse with Zabbix 7.0.6 and resolved in /etc/zabbix/web/zabbix.conf.php file with:
                                  Code:
                                  $SSO['SETTINGS'] = [
'security' => [
'requestedAuthnContext' => false
],
];
                                  Thank you!

                                    Comment

                                    • frank108
                                      Junior Member
                                      • Mar 2022
                                      • 15
                                      #10
                                      Originally posted by rsokolovs
                                      Had this isse with Zabbix 7.0.6 and resolved in /etc/zabbix/web/zabbix.conf.php file with:
                                      Code:
                                      $SSO['SETTINGS'] = [
'security' => [
'requestedAuthnContext' => false
],
];
                                      Thanks a lot, it works on 7.2 as well.
                                      As I have a reverse proxy in front, I have this together:
                                      PHP Code:
                                      $SSO['SETTINGS'] = [
                                                                                  'use_proxy_headers' => true,
                                                                                  'security' => [
                                                                                      'requestedAuthnContext' => false
                                                                                  ],
                                      ]; 
                                      Last edited by frank108; 15-01-2025, 13:16.

                                        Comment

                                        Previous template Next
                                        Working...