[ZBX-23074] AuthnContextClassRef/PasswordProtectedTransport is not changed if SSO requires urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos Created: 2023 Jul 07  Updated: 2025 Mar 18  Resolved: 2025 Mar 18

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Documentation (D)
Affects Version/s: 6.0.19, 6.4.4, 7.0.0alpha2
Fix Version/s: None

Type: Documentation task Priority: Blocker
Reporter: Edgar Akhmetshin Assignee: Martins Valkovskis
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: 0.5h
Original Estimate: Not Specified
Environment:

LTS 6.0

Attachments: PNG File Screenshot 2024-05-17 at 10.29.32.png     PNG File image.png    
Issue Links:
Causes
Sub-task
Team: Team C
Sprint: S24-W22/23, S24-W26/27, DOC S25-W2/3
Story Points: 2

 Description   

Steps to reproduce:

  1. try to configure SSO with ADFS
  2. configure SP name ID format to urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos (https://www.zabbix.com/documentation/current/en/manual/web_interface/frontend_sections/users/authentication/saml)
  3. get error

Result:
SSO doesn't work

Expected:
Working SSO.

Workaround - modify manually:

grep -P "AuthnContextClassRef.*SAML" /usr/share/zabbix/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php
        <!-- <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> -->
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>


 Comments   
Comment by Edgar Akhmetshin [ 2024 May 22 ]

With Frontend configuration (zabbix.conf.php):

$SSO['SETTINGS']    = [
    'security' => [
        'requestedAuthnContext' => false
    ]
];

Or:

$SSO['SETTINGS']    = [
    'security' => [
        'requestedAuthnContext' => [
            'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos',
        ],
        'requestedAuthnContextComparison' => 'exact'
    ]
];

And 'SP name ID format' (Frontend):

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Configuration works.

Comment by Martins Valkovskis [ 2025 Mar 12 ]

Updated documentation:

  • SAML authentication: 6.0, 7.0, 7.2, 7.4 ("Frontend configuration with Kerberos/ADFS" added)
     
Generated at Wed Jun 04 20:43:18 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.