Am stuck with Zabbix SAML setting. There is no proper setting for ADFS in zabbix. As new to SSO, it's every difficult and understand SSO in ADFS. Does anyone properly configured Zabbix with ADFS ?
Zabbix SSO URL : https://xx.xxx.xx.xx/index_sso.php?acs (Same as given to ADFS Endpoint)
Zabbix Version : 5.45 Using appliance qcow2 (front end nginx)
Zabbix Version : 6.4X Latest stable version appliance qcwo2 (front end nginx)
Error : getting in User attribute not found both the versions. Give Attriubute NameID or Name ID same error getting on with option using Case-Sensitive Login in Zabbix Saml setting.
Nginx Logs:
FastCGI sent in stderr: "PHP message: PHP Warning: Undefined variable $user_attributes in /usr/share/zabbix/index_sso.php on line 194PHP message: PHP Fatal error: Uncaught TypeError: array_key_exists(): Argument #2 ($array) must be of type array, null given in /usr/share/zabbix/index_sso.php:194 Stack trace: #0 {main} thrown in /usr/share/zabbix/index_sso.php on line 194" while reading response header from upstream, client: xx.xxx.x.xx, server: , request: "POST /index_sso.php?acs HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/zabbix.sock:", host: "xx.xxx.xxx.xx", referrer: "https://stack.example.local/"
Below screenshot of Zabbix SAML setting
ADFS setting screenshot as below
Relying party Identifiener https://xx.xx.xx.xx/ (which is given same as zabbix SP entity ID field )
ADFS Claim Rule
Finally, I made zabbix SAML integration with ADFS-Win-2016 Successfully.
Here my workaround and configuration reference screenshot as below
Zabbix SAML Configuration:
Create an AD user in Zabbix with fully qualified domain name login (Note: You can give any password while creation user in zabbix)
Example : stack_user1@addomain.local (make sure User exits in Active directory server)
Here my ADFS Relying party trust Properties for zabbix-AdFs
Claim For zabbix-AdFs
Now try to login Zabbix URL https://10.10.1.2 URL redirects to https://10.10.1.2/index_sso.php?acs
or choose url from ADFS idps
https://adz.addomain.local/adfs/ls/idpinitiatedsignon.aspx
Choose zabbix-AdFs
Login zabbix user as
UserName : stack_user1@addomain.local
Password : XXXXXXXXXXXXX (ActiveDirectory Password)
Note If you logged in windows using domain account(addomain.local) then it doesn't ask password using idp url
JIT (Just-In-Time) provisioning for automatic creation of Active Directory (AD) users and mapping of user groups and roles in Zabbix is still pending. Please keep everyone informed on this progress.
If anyone is aware of how to enable SAML logging in zabbix.config.php, please share the steps to activate debug mode and specify where to find the log files.
Thank You!