[ZBXNEXT-4573] Single Sign-on using webserver Created: 2018 May 28  Updated: 2024 Apr 10  Resolved: 2018 Sep 29

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F)
Affects Version/s: None
Fix Version/s: 4.0.0beta1, 4.0.0beta2, 4.0.0rc1, 4.0 (plan)

Type: Change Request Priority: Trivial
Reporter: Rostislav Palivoda Assignee: Gregory Chalenko
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: GIF File zabbixeption.gif    
Issue Links:
Causes
causes ZBX-18942 CControllerAuthenticationUpdate contr... Closed
causes ZBX-15353 API login asks for password with HTTP... Closed
causes ZBX-14863 Cannot save LDAP settings for anonymo... Closed
causes ZBX-15911 Login form provides "sign in as guest... Closed
Sub-task
depends on ZBXNEXT-407 Fallback login option for LDAP Open
depends on ZBXNEXT-3118 Allow to use complex "login" formats ... Open
depends on ZBX-14774 Page is recursively included into its... Open
depends on ZBX-14839 Open page with Admin user → get login... Closed
Team: Team D
Sprint: Sprint 35, Sprint 36, Sprint 37, Sprint 38, Sprint 39, Sprint 40, Sprint 41, Sprint 42, Sprint 43
Story Points: 8

 Description   

User stories

When Apache Auth directives are configured for all Zabbix frontend pages:

  • As a Zabbix user, after migration from Zabbix 3.X with HTTP enabled, I want it still be impossible to login using Internal/LDAP password without signing in with Apache first.

When Apache Auth directives are configured only to login_http.php page:

  • As a Zabbix user, I can login with HTTP(using Kerberos or others types) or using Internal/LDAP passwords
  • As a Zabbix admin, I can choose whether to redirect unauthorized users to HTTP login or Zabbix login form

Acceptance

  1. If HTTP auth is enabled:
    1. Any zabbix users, regardless of their user groups, can sign in with HTTP auth if their alias match
    2. It's still must be possible to sign in using standard zabbix login page using Internal or LDAP passwordif web server is setup accordingly)
  2. HTTP auth and standard zabbix login pages must have separate URLs directly accessible.
    1. If HTTP auth is globally disabled, then HTTP auth page must redirect to Internal auth page
  3. It must be possible to remove domain part of the username received from web server. i.e. username@ADNAME becomes just username

 Comments   
Comment by Oleksii Zagorskyi [ 2018 May 28 ]

As for #3 - it's duplicate of ZBXNEXT-3118

Comment by Alexander Vladishev [ 2018 Aug 28 ]

Available in 4.0.0beta1 r84166.

Comment by Gregory Chalenko [ 2018 Sep 10 ]

Available in 4.0.0beta2 r84680

Comment by Gregory Chalenko [ 2018 Sep 13 ]

Available in:

  • 4.0.0rc1 (r84841)
Comment by Martins Valkovskis [ 2018 Sep 26 ]

(39) [D] Updated documentation:

RESOLVED

gcalenko Looks good for me.

CLOSED

Comment by Gregory Chalenko [ 2018 Sep 26 ]

(41) [D] Moved public documentation from (40) sub issue, updated pages:

  • API user group object page.
  • API changes from 3.4 to 4.0 page.
  • API updated user.create properties on page.
  • Upgrade notes page.

RESOLVED

iivs I updated pages:

RESOLVED

gcalenko Thank you.

CLOSED

Generated at Wed Apr 02 15:57:37 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.