I have problems configuring the zabbix SAML with Onelogin.
I'm using the Zabbix server 6.2, it is behind the haproxy. LDAP is working properly on the Zabbix as well.
I was following the instructions from here.
Here is the screenshot of Onelogin SSO configuration.
For configuration section from the onelogin, I've used:
On the zabbix side, on the screenshot bellow, I've put :
On the zabbix, I've edited the /etc/zabbix/web/zabbix.conf.php:
The certs are owned by local nginx server user (www-data).
The SP_KEY and SP_CERT are SSL key and cert for the zabbix domain.
The IDP_CERT is cert (only cert, not full xml) provided by onelogin.
The error is from the screenshot:
Basically, expected https:/zabbix./mydomain.com/zabbix-metadata.xml, got https://zabbix.mydomain.com.
Interesting that zabbix is using the library provided by Onelogin here, but I've never found a working example.
The message "test_password" is seen in a few zabbix php scripts like in ./include/classes/api/services/CUserDirectory.php
On SAML-tracer, I see first GET requests to onelogin/client/apps/ID and then second GET request onelogin.com/trust/saml2/ID,
after that post is comming to POST https://zabbix.mydomain.com/index_sso.php?acs ,
there is a SAML xml respornse from the provider
I tried to manually edit the /usr/share/zabbix/vendor/onelogin/php-saml/settings.php as onelogin library is suggesting, but according to zabbix manual, the data from database is overriding other settings.
Any help is appreciated.
I'm using the Zabbix server 6.2, it is behind the haproxy. LDAP is working properly on the Zabbix as well.
I was following the instructions from here.
Here is the screenshot of Onelogin SSO configuration.
For configuration section from the onelogin, I've used:
- Assertion Consumer URL : <path_to_zabbix_ui>/index_sso.php?acs
- Single Logout URL : <path_to_zabbix_ui>/index_sso.php?sls
On the zabbix side, on the screenshot bellow, I've put :
- "Issuer URL" (from onelogin SSO) to zabbix "IDP entity ID"
- "SAML 2.0 Endpoint" (from onelogin SSO) to zabbix "SSO service URL"
- "SLO Endpoint" (from onelogin SSO) to zabbix "SLO service URL"
- Username attribute is basically the same as we have for other application
- On zabbix side: "SP entity ID", I'm not sure about that part, seems it has to be metadata.xml provided by Onelogin? This doesn't seems to be correct as the data are publicly visible?
On the zabbix, I've edited the /etc/zabbix/web/zabbix.conf.php:
Code:
$SSO['SP_KEY'] = '/usr/share/zabbix/conf/certs/sp.key'; $SSO['SP_CERT'] = '/usr/share/zabbix/conf/certs/sp.crt'; $SSO['IDP_CERT'] = '/usr/share/zabbix/conf/certs/idp.crt'; $SSO_SETTINGS=['strict' => false, 'baseurl' => "https://zabbix.mydomain.com/", 'use_proxy_headers' => true]
The SP_KEY and SP_CERT are SSL key and cert for the zabbix domain.
The IDP_CERT is cert (only cert, not full xml) provided by onelogin.
The error is from the screenshot:
Basically, expected https:/zabbix./mydomain.com/zabbix-metadata.xml, got https://zabbix.mydomain.com.
Interesting that zabbix is using the library provided by Onelogin here, but I've never found a working example.
The message "test_password" is seen in a few zabbix php scripts like in ./include/classes/api/services/CUserDirectory.php
On SAML-tracer, I see first GET requests to onelogin/client/apps/ID and then second GET request onelogin.com/trust/saml2/ID,
after that post is comming to POST https://zabbix.mydomain.com/index_sso.php?acs ,
there is a SAML xml respornse from the provider
I tried to manually edit the /usr/share/zabbix/vendor/onelogin/php-saml/settings.php as onelogin library is suggesting, but according to zabbix manual, the data from database is overriding other settings.
Any help is appreciated.
Comment