[ZBXNEXT-2663] Support SAML authentication in zabbix frontend Created: 2015 Jan 08  Updated: 2024 Oct 16  Resolved: 2020 May 11

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F)
Affects Version/s: None
Fix Version/s: 5.0.0rc1, 5.0 (plan)

Type: New Feature Request Priority: Trivial
Reporter: Greg Swift Assignee: Andrejs Griščenko
Resolution: Fixed Votes: 42
Labels: frontend, sso
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: XML File Not_set_GET.xml     XML File Not_set_POST.xml     PNG File SAML-AzureAD-settings.png     XML File set_GET.xml     XML File set_POST.xml    
Issue Links:
Causes
causes ZBX-17676 Update ZBX_MAX_FIELDS in dbschema.h t... Closed
Duplicate
is duplicated by ZBXNEXT-3320 SAML2 Support for Authentication Closed
is duplicated by ZBXNEXT-5689 SAML service provider support for Zab... Closed
Sub-task
depends on ZBXNEXT-5836 Support SAML authentication in zabbix... Closed
Sub-Tasks:
Key
 Summary
 Type
 Status
 Assignee
ZBXNEXT-5836 Support SAML authentication in zabbix... Specification change (Sub-task) Closed Artjoms Rimdjonoks  
Team: Team D
Sprint: Sprint 62 (Mar 2020), Sprint 63 (Apr 2020), Sprint 64 (May 2020)
Story Points: 6

 Description   

"Why add SAML support to my software?

SAML is an XML-based standard for web browser single sign-on and is defined by the OASIS Security Services Technical Committee. The standard has been around since 2002, but lately it is becoming popular due its advantages"

https://github.com/onelogin/php-saml

This would be an excellent extension for zabbix, especially in enterprise environments. For instance, we have a heavy requirement for 2 factor authentication.



 Comments   
Comment by Greg Swift [ 2015 Jan 08 ]

To clarify, I dont care if it is from the onelogin toolkit or implemented another way. I'm just looking for integratable SSO and/or 2FA with Zabbix.

Comment by Oleksii Zagorskyi [ 2016 Mar 22 ]

Related form thread https://www.zabbix.com/forum/showthread.php?t=41432

Comment by Derrick Smith [ 2018 Aug 06 ]

I added support for SAML using the Onelogin library and forked the zabbix repo on Github with the changes.  You can find the repo at https://github.com/derricksmith/zabbix/tree/Development/frontends/php.  You will need to add the following columns to the config table in mysql and add create an sp certificate and key called sp.key/sp.crt located in include/classes/saml/certs/.  Still working on single signout.

ALTER TABLE `config` ADD COLUMN `saml_idp_entity_id` text NOT NULL AFTER `ldap_search_attribute`;

ALTER TABLE `config` ADD COLUMN `saml_idp_single_sign_on_service` text NOT NULL AFTER `saml_idp_entity_id`;

ALTER TABLE `config` ADD COLUMN `saml_idp_single_logout_service` text NOT NULL AFTER `saml_idp_single_sign_on_service`;

ALTER TABLE `config` ADD COLUMN `saml_idp_certificate` text NOT NULL AFTER `saml_idp_single_logout_service`;

 

Comment by Mosen [ 2019 Feb 17 ]

I've also started a SAML integration but my question is more around introducing external dependencies.

I don't see any current dependencies in the frontend so are they not allowed? I wouldn't want to re-write a zabbix only implementation of Signed XML just for this feature.

Otherwise I'll have to maintain a fork with SAML similar to @Derrick Smith

 

Comment by Tim Szozda [ 2019 Feb 27 ]

This feature request would provide "Just-in-time" provisioning to allow for users and user group membership to dynamically be applied to Zabbix based upon SAML session values.  

I do believe this a feature that is lacking from Zabbix and present in other monitoring solutions.  This is a common deliverable in most modern applications and I am hopeful that Zabbix can deliver to compete, if not excel, over other monitoring solutions.  

Comment by Anthony Somerset [ 2019 Mar 06 ]

So I've worked around this in the meantime using mod_auth_mellon (https://github.com/UNINETT/mod_auth_mellon/ - packages in ubuntu repos) in apache2 to integrate with Azure AD and there are a few caveats:

  1. I still have to manage the account/group permissions in zabbix gui
    1. this is not a big dealbreaker for us at this stage - it would be nice if group membership data could be fed to zabbix 
  2. you use the enable HTTP authentication options and i recommend ignoring case in usernames
  3. non "SAML" accounts have to use a separate VHOST to use the zabbix user database or for public "guest" access
    1. not a deal breaker as we already do this to workaround the lack of user/group level timezone definititions
  4. no logout from zabbix

Having SAML integrated into Zabbix as a first class citizen would be far far better so that workarounds and kludges don't need to happen for guests or "external" users in particular and as Tim said, Just In Time provisioning and permissions management

 

i would wholly concur about putting this on the roadmap for a future release

Comment by Mosen [ 2019 Mar 11 ]

Hmm zabbix structure is quite particular I assume, since they use no external dependencies and have a bespoke mvc framework. I’ve forked the front end for now to incorporate saml.

Comment by Pascal Uhlmann [ 2019 Jul 30 ]

We also have the requirement to change authenticaion to 2FA. Therefor I'd really appreciate this feature to be implemented.

Comment by Tim Szozda [ 2019 Jul 30 ]

SAML will be dead at this pace. So, if not SAML with Just in Time Provisioning, then let's root for OpenID Connect with JiT.   A case insensitive login via SSO is needed for Zabbix to flourish. Imagine Zabbix Maps that could be freely shared amongst organizations without a drawn out process to create identities in a large organization. Could start encroaching into Atlassian StatusPage business. 

Comment by mohamed Ahmed moursi [ 2020 Jan 06 ]

Hello everyone,

Is there is any update on this?

we are using Apereo CAS as an SSO, connecting ZABBIX with it would add many features like Recaptcha v3 and  2FA. In addition, it would provide our IT staff with a seamless experience. 

Comment by Andrejs Griščenko [ 2020 Apr 08 ]

Resolved in development branch feature/ZBXNEXT-2663-4.5

Comment by Andrejs Griščenko [ 2020 Apr 30 ]

Available in:

Comment by Bilal Habib [ 2020 Apr 30 ]

Awesome just saw the changelog

Comment by Andrejs Griščenko [ 2020 May 11 ]

User documentation updated:

Comment by John Banner [ 2020 May 28 ]

So what is Zabbix's metadata url? index_sso.php?metadata does not work or exist, trying tom import into ADFS or Shibboleth, both require a metadata url for the service provider

Comment by Roberts Lataria (Inactive) [ 2020 May 28 ]

Hello, [email protected]! Zabbix not support metadata.

Comment by John Banner [ 2020 May 28 ]

So how do you use ADFS without entering any metadata? You cant add the relying party without metadata so you cant use ADFS, but it is shown on the Zabbix Native Integrations page for SAML.

Comment by John Banner [ 2020 May 28 ]

For others that come across this, I got it working, created a metadata file from scratch for use in ADFS and Shibboleth. Further, I edited sites-available, and added an alias to the metadata file, 

*edit -  Added a prettier metadata file

000-default.conf and default-ssl.conf

Alias "/zabbix-metadata.xml" "/var/www/html/zabbix-metadata.xml"

zabbix-metadata.xml

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor entityID="https://monitor.example.edu" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://monitor.example.edu/index_sso.php?acs" index="0" />
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://monitor.example.edu/index_sso.php?sls" />
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</NameIDFormat>
    </SPSSODescriptor>
    <ContactPerson contactType="administrative">
        <GivenName>System Administrator</GivenName>
        <EmailAddress>[email protected]</EmailAddress>
    </ContactPerson>
    <ContactPerson contactType="support">
        <GivenName>Tech Support</GivenName>
        <EmailAddress>[email protected]</EmailAddress>
    </ContactPerson>
</EntityDescriptor>
Comment by Tom Van Looy [ 2020 Jul 02 ]

 we are using this. Works great. Just wanted to let you know and say thanks!

Comment by Oleksii Zagorskyi [ 2021 Sep 24 ]

On this page:
https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/
are links to examples for different providers.
It might be useful as a reference how to configure it in zabbix.

For Azure AD once we needed to use 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

as a value for "Username attribute" field.
Yes, it's not a link, but a value for the field. Working example:

Generated at Sat Jun 14 18:16:21 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.