phpsingle-sign-onadfszabbix

Zabbix SAML Config using ActiveDirectory WIN 2016-ADFS


Am stuck with Zabbix SAML setting. There is no proper setting for ADFS in zabbix. As new to SSO, it's every difficult and understand SSO in ADFS. Does anyone properly configured Zabbix with ADFS ?

Zabbix SSO URL : https://xx.xxx.xx.xx/index_sso.php?acs (Same as given to ADFS Endpoint)

Here is my Zabbix Version which I tested

Zabbix Version : 5.45 Using appliance qcow2 (front end nginx)

Zabbix Version : 6.4X Latest stable version appliance qcwo2 (front end nginx)

Error : getting in User attribute not found both the versions. Give Attriubute NameID or Name ID same error getting on with option using Case-Sensitive Login in Zabbix Saml setting.

Nginx Logs:

FastCGI sent in stderr: "PHP message: PHP Warning: Undefined variable $user_attributes in /usr/share/zabbix/index_sso.php on line 194PHP message: PHP Fatal error: Uncaught TypeError: array_key_exists(): Argument #2 ($array) must be of type array, null given in /usr/share/zabbix/index_sso.php:194 Stack trace: #0 {main} thrown in /usr/share/zabbix/index_sso.php on line 194" while reading response header from upstream, client: xx.xxx.x.xx, server: , request: "POST /index_sso.php?acs HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/zabbix.sock:", host: "xx.xxx.xxx.xx", referrer: "https://stack.example.local/"

Below screenshot of Zabbix SAML setting enter image description here

ADFS setting screenshot as below

Relying party Identifiener https://xx.xx.xx.xx/ (which is given same as zabbix SP entity ID field ) enter image description here

ADFS Claim Rule

enter image description here


Solution

  • Finally, I made zabbix SAML integration with ADFS-Win-2016 Successfully.

    Here my workaround and configuration reference screenshot as below

    Zabbix SAML Configuration:

    enter image description here

    Create an AD user in Zabbix with fully qualified domain name login (Note: You can give any password while creation user in zabbix)

    Example : stack_user1@addomain.local (make sure User exits in Active directory server)

    Here my ADFS Relying party trust Properties for zabbix-AdFs

    enter image description here

    Claim For zabbix-AdFs

    enter image description here

    Now try to login Zabbix URL https://10.10.1.2 URL redirects to https://10.10.1.2/index_sso.php?acs

    or choose url from ADFS idps

    https://adz.addomain.local/adfs/ls/idpinitiatedsignon.aspx

    Choose zabbix-AdFs

    Login zabbix user as

    UserName : stack_user1@addomain.local

    Password : XXXXXXXXXXXXX (ActiveDirectory Password)

    Note If you logged in windows using domain account(addomain.local) then it doesn't ask password using idp url

    JIT (Just-In-Time) provisioning for automatic creation of Active Directory (AD) users and mapping of user groups and roles in Zabbix is still pending. Please keep everyone informed on this progress.

    If anyone is aware of how to enable SAML logging in zabbix.config.php, please share the steps to activate debug mode and specify where to find the log files.

    Thank You!