Ad Widget

Collapse

Zabbix 6.4 ADFS SAML Implementation - PHP Error

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Phil0123
    Junior Member
    • Jun 2023
    • 3
    #1

    Zabbix 6.4 ADFS SAML Implementation - PHP Error

    Hi all,

    I'm having trouble implementing SAML authentication to Zabbix 6.4. and maybe someone got any good idea how I can further troubleshoot this issue.

    Unfortunately the offical SAML documentation seems to be a little outdated and offers just basic information especially for the official Zabbix docker image we're using.

    Actually we got it almost to work but face a HTTP 500 error when accessing the "index_sso.php".​

    Code:
    zabbix-web-nginx-mysql_1  | 2023/06/01 14:54:10 [error] 22#22: *9 FastCGI sent in stderr: "[COLOR=#e74c3c][B]PHP message: PHP Warning:  Undefined variable $user_attributes in /usr/share/zabbix/index_sso.php on line 194PHP message: PHP Fatal error:  Uncaught TypeError: array_key_exists(): Argument #2 ($array) must be of type array, null given in /usr/share/zabbix/index_sso.php:194[/B][/COLOR]
zabbix-web-nginx-mysql_1  | Stack trace:
zabbix-web-nginx-mysql_1  | #0 {main}
zabbix-web-nginx-mysql_1  |   thrown in /usr/share/zabbix/index_sso.php on line 194" while reading response header from upstream, client: 10.254.102.139, server: Servername, request: "POST /index_sso.php?acs HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fpm.sock:", host: "Servername.domain.intern", referrer: "[URL]https://adfs.company.com/[/URL]"
zabbix-web-nginx-mysql_1  | 10.254.102.139 - - [01/Jun/2023:14:54:10 +0200] "POST /index_sso.php?acs HTTP/1.1" 500 5 "[URL]https://adfs.company.com/[/URL]" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" "-"
​


    So for me it looks like:
    1. SAML Login get offered - OK
    2. ADFS connection is working - OK
    3. ADFS authentication works and returns session to Zabbix - OK
    4. Now Zabbix has a problem with a missing parameter "$user_attributes" - Problem

    The current configuration is as follows:

    SAML Configuration Zabbix


    ADFS Claim - Username attribute


    IDP & SP certs mounted to “/etc/zabbix/web/certs/”


    ADFS Claim - Metadata.xml
    For configuring the ADFS claim we used the following Metadata XML we created by ourself as Zabbix does not provide a own file. (Servername.domain.intern & Company as placeholder here)

    Code:
    <?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor entityID="zabbix" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Servername.domain.intern/index_sso.php?acs" index="0" />
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://Servername.domain.intern/index_sso.php?sls" />
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    </SPSSODescriptor>
    <Organization>
        <OrganizationName xml:lang="en">Company</OrganizationName>
        <OrganizationDisplayName xml:lang="en">Zabbix</OrganizationDisplayName>
        <OrganizationURL xml:lang="en">https://Servername.domain.intern/</OrganizationURL>
    </Organization>
    <ContactPerson contactType="administrative">
        <GivenName>User</GivenName>
        <EmailAddress>[email protected]</EmailAddress>
    </ContactPerson>
</EntityDescriptor>​​
    User Management
    A corresponding Zabbix user with the same username as provided via "Name ID" used as "Username attribute" in the SAML config is existing.


    Someone got any further ideas what to check on Zabbix side to resolve this PHP Error?



    Best regards
    Philipp​
    Tags: active directory, login error, php errors, saml, sso
    • Gsmith
      Member
      • Mar 2015
      • 56
      #2
      Hey @Phil0123

      I have the same issue, were you able to relove this?

        Comment

        • Phil0123
          Junior Member
          • Jun 2023
          • 3
          #3
          Originally posted by Gsmith
          Hey @Phil0123

          I have the same issue, were you able to relove this?
          Unfortunately I was not able to solve this issue yet as I cannot tell my provider how to exactly configure the ADFS claim.

          My guess is that the issue is related to the SAML response. Zabbix requires the NameID response as attribute which is not the default behaviour. The Zabbix support I contacted indirectly approved that this might be the issue but offered no further help because of their support bussiness model.

          For some Identity Provider configurations, the username for the product might be contained in the Attribute element of the assertion instead of NameID.​
          A good explanation can be found here, it's the same as for Confluence SSO:
          HOWTO: Using a SAML assertion attribute as the product username | Atlassian Support | Atlassian Documentation
          https://confluence.atlassian.com/enterprise/howto-using-a-saml-assertion-attribute-as-the-product-username-945522510.html


          Maybe someone can approve or disapprove and test if changing the claim to the structure above is the solution.

            Comment

            • Gsmith
              Member
              • Mar 2015
              • 56
              #4
              Originally posted by Phil0123

              Unfortunately I was not able to solve this issue yet as I cannot tell my provider how to exactly configure the ADFS claim.

              My guess is that the issue is related to the SAML response. Zabbix requires the NameID response as attribute which is not the default behaviour. The Zabbix support I contacted indirectly approved that this might be the issue but offered no further help because of their support bussiness model.



              A good explanation can be found here, it's the same as for Confluence SSO:
              https://confluence.atlassian.com/ent...945522510.html

              Maybe someone can approve or disapprove and test if changing the claim to the structure above is the solution.
              Thanks for the reply, i did get Zabbix-6.4 working with MS Entra ID (AKA Azure AD). I found something wrong with the "SP name ID format". Unfortantly I was unable to use..


              HTML Code:
              urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
              I had to use...

              HTML Code:
              urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
              Once that was completed, I had to make sure my Attrabute matched fro Zabbix --> MS Entra ID
              Zabbix:

              Click image for larger version Name: image.png Views: 0 Size: 24.6 KB ID: 471356

              MicroSoft Entra ID (AKA Azure AD)

              Click image for larger version Name: image.png Views: 0 Size: 10.2 KB ID: 471355
              And ensure that the user needed fpr zabbix were the same.
              Last edited by Gsmith; 29-09-2023, 03:47.

                Comment

                • Phil0123
                  Junior Member
                  • Jun 2023
                  • 3
                  #5
                  Originally posted by Gsmith

                  Thanks for the reply, i did get Zabbix-6.4 working with MS Entra ID (AKA Azure AD).

                  Many Thanks for your Feeddback Gsmith.

                  Yes I think a similiar Name ID format issue is also affecting the ADFS method.

                  Anyway I'll try to switch over to the Azure AD method as well which also seems to have a more recent documentation and implementation.


                  Originally posted by Gsmith

                  I found something wrong with the "SP name ID format". Unfortantly I was unable to use..
                  Perfect, that maybe saves a lot of try and error I'll update once configured.

                    Comment

                    Previous template Next
                    Working...