[ZBXNEXT-8760] JIT user provisioning improvement Created: 2023 Oct 16  Updated: 2025 Jan 06  Resolved: 2024 Jul 01

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: None
Affects Version/s: None
Fix Version/s: 7.0.0rc1, 7.0 (plan)

Type: Change Request Priority: Trivial
Reporter: Martins Orinskis Assignee: Gregory Chalenko
Resolution: Fixed Votes: 10
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File color-disabled-users.png     GIF File create-enabled-title.gif     PNG File email-issue.png     GIF File error-remove-mapping.gif     PNG File image-2024-03-27-11-58-28-161.png     GIF File mediatypemapping-edit.gif     PNG File provisioned-users-color2 (1).png     PNG File spec-screen-d-media.png     PNG File type-disabled-media.png     PNG File type-readonly.png     GIF File usergroup-removeuser.gif    
Issue Links:
Causes
Duplicate
Sub-task
depends on ZBXNEXT-8147 JIT User provisioning - Add possibili... Closed
depends on ZBXNEXT-8379 Allow auto provisioned users to chang... Closed
Epic Link: Zabbix 7.0
Team: Team C
Target end:
Sprint: Sprint 107 (Dec 2023), S2401, S24-W6/7, S24-W8/9, S24-W10/11, S24-W12/13, S24-W14/15, S24-W16/17, S24-W18/19, S24-W20/21
Story Points: 6

 Description   

Summary

Zabbix has a great capability to provide just-in-time user provisioning via LDAP, SAML. Unfortunately there are few pain points that limit Zabbix users:

  1. User media is limited to one provisioned value (e.g. one email address);
  2. No editing of provisioned user media attributes (e.g. working hours or severity), they are set enabled 24*7 for all severities;
  3. User has no possibility to add alternative email/phone number which is not registered in IdP (identity provider), like additional support person's email or private number for specific occasion (which should not be added to corporate IdP);
  4. No user media attribute updates with SCIM;
  5. Incorrect re-creation of Zabbix user profile when primary email/login name has changed in SAML IdP; 
  6. Current SAML implementation has limited functionality for IdP's that use complex response structures and various name ID formats.

All above pain points basically comes from 2 deficiencies:

  1. There is no attribute indicator to specify source (manually entered, IdP provisioned) for user media;
  2. Zabbix SCIM/SAML request filter parser needs to be improved to gain better compatibility with 3rd party IdP's and be more flexible with data retrieval from these IdP's.

Use case

  1. As a user I want to:
    1. add additional media types (e.g. alternative email) besides provisioned ones;
    2. provision all my email addresses from IdP and keep first as an active primary one;
    3. set custom working hours, severity for user media, also with enabled identity provisioning;
    4. receive correct user attribute updates from SAML IdP's.

 Comments   
Comment by George Machitidze [ 2023 Nov 06 ]

Without this functionality SAML/SCIM integration is practically useless...

Comment by dimir [ 2023 Nov 17 ]

This is needed for fixing ZBXNEXT-8147 .

Comment by Alexei Vladishev [ 2024 Feb 02 ]

This functionality is coming in Zabbix 7.0, stay tuned.

Comment by Jirka Kotlin [ 2024 Feb 02 ]

Great!

Comment by Gregory Chalenko [ 2024 Mar 05 ]

Implemented in feature/ZBXNEXT-8760-6.5.

Comment by Elina Pulke (Inactive) [ 2024 May 03 ]

Available in:

Comment by Martins Valkovskis [ 2024 May 13 ]

Updated documentation:

Generated at Thu Jun 19 08:41:04 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.