Hi everyone,
I would like to report a potential bug (or a documentation gap) regarding SAML SSO with JIT provisioning in Zabbix. (Please note: I am using an AI assistant to help write this as I am not a native English speaker.)
[Description]
I encountered a PHP Fatal error during SAML authentication. This happens specifically when the "Username attribute" and "Group name attribute" are configured with the same value in the SAML settings.
[Error Message]
PHP Fatal error: Uncaught TypeError: CUser::findUsersByUsername(): Argument #1 ($username) must be of type string, array given, called in /usr/share/zabbix/index_sso.php on line 274 and defined in /usr/share/zabbix/include/classes/api/services/CUser.php:2441
[Environment]
Zabbix Version: 7.0.22 (Official Docker image: zabbix-web-nginx-mysql:7.0-ubuntu-latest)
Docker Image Digest: sha256:47f4528dbe4baa0b9d89c6b1efaec003696886b7285 a8c5f0c9e80717fa326d0
[Cause Analysis]
The issue lies in the SAML attribute processing logic within index_sso.php L179:
When the "Username attribute" is identical to the "Group name attribute", the reset($value) call is skipped for that attribute. As a result, the attribute is stored as an array instead of a string. This array is then passed to CUser::findUsersByUsername(), which expects a string, causing the TypeError.
[Workaround]
Using different attribute names for the "Username attribute" and "Group name attribute" resolves the issue.
[Question/Suggestion]
Is this a known limitation? Even if this configuration is not recommended, it probably shouldn't result in a Fatal Error that crashes the frontend. I believe this should be handled in the code or at least mentioned as a warning in the documentation/UI.
Best regards,
I would like to report a potential bug (or a documentation gap) regarding SAML SSO with JIT provisioning in Zabbix. (Please note: I am using an AI assistant to help write this as I am not a native English speaker.)
[Description]
I encountered a PHP Fatal error during SAML authentication. This happens specifically when the "Username attribute" and "Group name attribute" are configured with the same value in the SAML settings.
[Error Message]
PHP Fatal error: Uncaught TypeError: CUser::findUsersByUsername(): Argument #1 ($username) must be of type string, array given, called in /usr/share/zabbix/index_sso.php on line 274 and defined in /usr/share/zabbix/include/classes/api/services/CUser.php:2441
[Environment]
Zabbix Version: 7.0.22 (Official Docker image: zabbix-web-nginx-mysql:7.0-ubuntu-latest)
Docker Image Digest: sha256:47f4528dbe4baa0b9d89c6b1efaec003696886b7285 a8c5f0c9e80717fa326d0
[Cause Analysis]
The issue lies in the SAML attribute processing logic within index_sso.php L179:
PHP Code:
$groups_key = $saml_settings['group_name'];
foreach ($auth->getAttributes() as $attribute => $value) {
if ($groups_key !== $attribute) {
$value = reset($value);
}
$user_attributes[$attribute] = $value;
}
[Workaround]
Using different attribute names for the "Username attribute" and "Group name attribute" resolves the issue.
[Question/Suggestion]
Is this a known limitation? Even if this configuration is not recommended, it probably shouldn't result in a Fatal Error that crashes the frontend. I believe this should be handled in the code or at least mentioned as a warning in the documentation/UI.
Best regards,