[ZBX-25368] SAML authentication doesn't see attributes Created: 2024 Oct 07  Updated: 2025 Apr 08  Resolved: 2024 Oct 09

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Server (S)
Affects Version/s: 7.0.3
Fix Version/s: None

Type: Problem report Priority: Trivial
Reporter: Petr Votava Assignee: Tomasz Grzechulski
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File SAML_response.txt     PNG File configuration.png     PNG File error_message.png    

 Description   

Steps to reproduce:

  1. We have configured SAML authentication with Microsoft Azure according  11 SAML setup with Microsoft Azure AD (zabbix.com)
  2. see configuration.png
  3. When I try to login I receive an error message that the atribute user_email is missing in user attributes
  4. see error_message.png
  5. I've captured the response from Azure with the SAML Message Decoder and I see the atribute there:
          <Attribute Name="user_mail">
            <AttributeValue>[email protected]</AttributeValue>
          </Attribute>
  6. see SAML_response.txt
  7. When I try to configure another attribute in Zabbix, which is in the SAML response the message is similar only the name of the atribute in the message is different.

Result:
The user is not logged in and created.
Expected:
Is it a bug or we have something wrong in the configuration?

 Comments   
Comment by Tomasz Grzechulski [ 2024 Oct 09 ]

Hello,

Closing this one, due duplication of: ZBX-25336

Comment by Tomasz Debkowski [ 2025 Apr 07 ]

tgrzechulski you sure it is duplicated? I do not see relation of parameter is missing from user attributes in ZBX-25336.
I went trough all documentations from SAML and Entra ID and still do not see solution for that.

Comment by Tomasz Debkowski [ 2025 Apr 08 ]

seems that i had different issue, while error message was simmilar.

If using default Entra ID claims, all claims are namespaced by http://schemas.xmlsoap.org/ws/2005/05/identity/claims/

then in zabbix attributes with full name should be added eg.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

after setting attributes like this error about attribute matching is gone.

Generated at Wed Aug 06 08:51:46 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.