Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-6615

Change SAML2 Assertion Consumer Service and and Logout Service URLs

    XMLWordPrintable

Details

    • Change Request
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • Frontend (F)
    • None

    Description

      At this moment Zabbix tells whether it received an Authentication Response or a Logout Response from the SAML2 idP by checking if URL has 'acs' or 'sls' in it and whether there is a session variable saml_data or not.

      It's hard to figure out from the OASIS documents whether there're some requirements or recommendations on the ACS and SLS URLs. In practice some idPs (one known is Duo Access Gateway) put constraints on the URL strings.

      Duo Access Gateway mentioned earlier doesn't allow to configure ACS/SLS URLs with query strings and only with certain hacks (URL rewriting with the web server and some modifications to php-saml toolkit code to disable strict URL validation) it's possible to make things work together.

      Possibly current index_sso.php could be either separated to two endpoint paths (Onelogin's toolkit has a demo with consume.php and slo.php as separate files: https://github.com/onelogin/php-saml/tree/master/demo2) or it could be enhanced to process both on a single endpoint by checking whether we received an Authentication Response or a Logout Response.

      Attachments

        Activity

          People

            vmurzins Valdis Murzins
            ssimonenko Sergey Simonenko
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: