Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-8760

JIT user provisioning improvement

XMLWordPrintable

    • Icon: Change Request Change Request
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • 7.0.0rc1 (master), 7.0 (plan)
    • None
    • None
    • None
    • Team C
    • Sprint 107 (Dec 2023), S2401, S24-W6/7, S24-W8/9, S24-W10/11, S24-W12/13, S24-W14/15, S24-W16/17
    • 6

      Summary

      Zabbix has a great capability to provide just-in-time user provisioning via LDAP, SAML. Unfortunately there are few pain points that limit Zabbix users:

      1. User media is limited to one provisioned value (e.g. one email address);
      2. No editing of provisioned user media attributes (e.g. working hours or severity), they are set enabled 24*7 for all severities;
      3. User has no possibility to add alternative email/phone number which is not registered in IdP (identity provider), like additional support person's email or private number for specific occasion (which should not be added to corporate IdP);
      4. No user media attribute updates with SCIM;
      5. Incorrect re-creation of Zabbix user profile when primary email/login name has changed in SAML IdP; 
      6. Current SAML implementation has limited functionality for IdP's that use complex response structures and various name ID formats.

      All above pain points basically comes from 2 deficiencies:

      1. There is no attribute indicator to specify source (manually entered, IdP provisioned) for user media;
      2. Zabbix SCIM/SAML request filter parser needs to be improved to gain better compatibility with 3rd party IdP's and be more flexible with data retrieval from these IdP's.

      Use case

      1. As a user I want to:
        1. add additional media types (e.g. alternative email) besides provisioned ones;
        2. provision all my email addresses from IdP and keep first as an active primary one;
        3. set custom working hours, severity for user media, also with enabled identity provisioning;
        4. receive correct user attribute updates from SAML IdP's.

            ngogolevs Nikita Gogolevs
            morinskis Martins Orinskis
            Team C
            Votes:
            10 Vote for this issue
            Watchers:
            18 Start watching this issue

              Created:
              Updated: