Ad Widget

**smolki** · 31-03-2023, 23:00

I am also trying to run it in this environment. Without result.
I am able to achieve authorization only with an already created user.
JIT, does not work, we need support how to run the service in MS Azure.

**YouDontKnowMe** · 05-04-2023, 16:21

I have the same problem.

SAML authentication only works if a user is already provisioned in Zabbix.

When I try to authenticate with JIT enabled, I'm getting the error "Incorrect user name or password or account is temporarily blocked".

**ro_bitussin** · 08-04-2023, 07:49

I was finally able to get this working. For my SAML setup, I used this guide from another post https://www.joostdeheer.nl/zabbix/Za...SO_AzureAD.pdf

In Azure, I had to adjust the following settings in my group claim:

"Which Groups associated with the user should be returned in the claim?" > Set to "Groups assigned to the application"
"Source Attribute" > Set to "Cloud-only group display names"
Checked "Customize the name of the group claim" > Set to "memberOf"

In Zabbix

Group Name Attribute > set to "memberOf"
User name Attribute > set to "username" (claim setup from the guide)
User Group Mapping, SAML group pattern > Matches group assigned to the application in Azure AD
Checked "Enable SCIM Provisioning"

I would also verify that the user role has the correct privileges.

**HB78** · 13-04-2023, 15:30

Hi,
Just to close the topic, JIT is just working great now , my issue was more on Azure Claims !
I had to change the group Claim i made.

From ro_bitbussin answer i simply adapted the choice to be : Security Groups + select SAMaccountname ( the default was Group ID which is reporting ... ID and not names !)
My custom Name stayed as is ("memberOf")
That permit me to have multiple groups like XYZ-Admins, XYZ-Viewer, etc and then play with User Group mapping
Just need to be sure not to have overlaps : user can't be viewer and admin , I presume ; not sure what happen

**ltep** · 14-04-2023, 11:21

Can someone share the PDF from https://www.joostdeheer.nl/zabbix/Za...SO_AzureAD.pdf ? The URL doesn't work anymore.

**polcape** · 08-06-2023, 18:06

Hi HB78,
I have same issue.

I can't configure provisioning on AzureAd side, it give me an error.

Do you solve?

Thanks

**gianlucas94** · 12-06-2023, 22:01

Hi there,
In my case every user is being provisioned with their roles and groups but when they try to login into zabbix they get this message:

And when I go back to the user list in Zabbix, the user that tried to login go to the group disabled.

Someone can help me ?

Thanks!

**andrebello87** · 04-08-2023, 14:23

Hi guys,

I resolved my problem, was missing the to configure Group Claims in the Enterprise applications.
I customized the name of the group claim to groups, so we need to configure the same name in the front Zabbix Server. Group name attribute = groups

.

Thanks

**MRedbourne** · 21-02-2024, 05:24

Going to pile onto this thread. We're also having issues with the SCIM setup. I've tried a variety of configs for Provisioning/claims, but can't get this to work. Is anyone able to point me in the right direction?

Edit: I should say what's wrong. We can get the accounts provisioned, but Zabbix isn't mapping our roles and groups correctly. Even trying fully generalized wildcards (Eg: the match pattern is '*', we can get this to map anything.

We're on Zabbix 6.4.8 (planned upgrade to 6.4.11 after change board approves), RHEL 9.3 64 bit. Standard apache build with PHP and a ton of hardening applied (CSP, X-Frames, HSTS, Information Disclosure, etc).

Attached Files

Ad Widget

Struggling with JIT for Azure AD SAML (v 6.4)

Struggling with JIT for Azure AD SAML (v 6.4)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment