3 Authentication

Overview

In Administration → Authentication the global user authentication method to Zabbix can be specified. The available methods are internal, HTTP, LDAP and SAML authentication.

Note that the authentication method can be fine-tuned on the user group level.

By default, internal Zabbix authentication is used globally. To change:

• to HTTP - navigate to the HTTP settings tab and enter authentication details;

• to LDAP - select LDAP as Default authentication and enter authentication details in the LDAP settings tab;

• to SAML - navigate to the SAML settings tab and enter authentication details.

When done, click on Update at the bottom of the form.

HTTP authentication

HTTP or web server-based authentication (for example: Basic Authentication, NTLM/Kerberos) can be used to check user names and passwords. Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.

Be careful! Make sure that web server authentication is configured and works properly before switching it on.

Configuration parameters:

In case of web server authentication all users (even with frontend access set to Internal) will be authenticated by the web server, not by Zabbix!

For internal users who are unable to log in using HTTP credentials (with HTTP login form set as default) leading to the 401 error, you may want to add a ErrorDocument 401 /index.php?form=default line to basic authentication directives, which will redirect to the regular Zabbix login form.

LDAP authentication

External LDAP authentication can be used to check user names and passwords. Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.

While LDAP authentication is set globally, some user groups can still be authenticated by Zabbix. These groups must have frontend access set to Internal. Vice versa, if internal authentication is used globally, LDAP authentication details can be specified and used for specific user groups whose frontend access is set to LDAP.

Zabbix LDAP authentication works at least with Microsoft Active Directory and OpenLDAP.

Configuration parameters:

In case of trouble with certificates, to make a secure LDAP connection (ldaps) work you may need to add a TLS_REQCERT allow line to the /etc/openldap/ldap.conf configuration file. It may decrease the security of connection to the LDAP catalog.

It is recommended to create a separate LDAP account (Bind DN) to perform binding and searching over the LDAP server with minimal privileges in the LDAP instead of using real user accounts (used for logging in the Zabbix frontend).
Such an approach provides more security and does not require changing the Bind password when the user changes his own password in the LDAP server.
In the table above it’s ldap_search account name.

SAML authentication

SAML 2.0 authentication can be used to sign in to Zabbix. Note that a user must exist in Zabbix, however, its Zabbix password will not be used. If authentication is successful, then Zabbix will match a local username (alias) with the username attribute returned by SAML.

If SAML authentication is enabled, users will be able to choose between logging in locally or via SAML Single Sign-On.

Setting up the identity provider

In order to work with Zabbix, a SAML identity provider (onelogin.com, auth0.com, okta.com, etc.) needs to be configured in the following way:

• Assertion Consumer URL should be set to <path_to_zabbix_ui>/index_sso.php?acs

• Single Logout URL should be set to <path_to_zabbix_ui>/index_sso.php?sls

<path_to_zabbix_ui> examples: https://example.com/zabbix/ui, http://another.example.com/zabbix, http://<any\_public\_ip\_address>/zabbix

Setting up Zabbix

It is required to install php-openssl if you want to use SAML authentication in the frontend.

To use SAML authentication Zabbix should be configured in the following way:

1. Private key and certificate should be stored in the ui/conf/certs/, unless custom paths are provided in zabbix.conf.php.

By default, Zabbix will look in the folowing locations:

• ui/conf/certs/sp.key - SP private key file

• ui/conf/certs/sp.crt - SP cert file

• ui/conf/certs/idp.crt - IDP cert file

2. All of the most important settings can be configured in the Zabbix frontend. However, it is possible to specify additional settings in the configuration file.

Configuration parameters, available in the Zabbix frontend:

Advanced settings

Additional SAML parameters can be configured in the Zabbix frontend configuration file (zabbix.conf.php):

• $SSO[‘SP_KEY’] = ‘<path to the SP private key file>’;

• $SSO[‘SP_CERT’] = ‘<path to the SP cert file>’;

• $SSO[‘IDP_CERT’] = ‘<path to the IDP cert file>’;

• $SSO[‘SETTINGS’]

Zabbix uses OneLogin’s SAML PHP Toolkit library (version 3.4.1). The structure of $SSO[‘SETTINGS’] section should be similar to the structure used by the library. For the description of configuration options, see official library documentation.

Only the following options can be set as part of $SSO[‘SETTINGS’]:

• strict

• compress

• contactPerson

• organization

• sp (only options specified in this list)

  • attributeConsumingService

  • x509certNew

• idp (only options specified in this list)

  • singleLogoutService (only one option)

    • responseUrl

  • certFingerprint

  • certFingerprintAlgorithm

  • x509certMulti

• security (only options specified in this list)

  • signMetadata

  • wantNameId

  • requestedAuthnContext

  • requestedAuthnContextComparison

  • wantXMLValidation

  • relaxDestinationValidation

  • destinationStrictlyMatches

  • rejectUnsolicitedResponsesWithInResponseTo

  • signatureAlgorithm

  • digestAlgorithm

  • lowercaseUrlencoding

All other options will be taken from the database and cannot be overridden. The debug option will be ignored.

Configuration example:

$SSO['SETTINGS'] = [
    'security' => [
        'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
        'digestAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#sha384',
        // ...
    ],
    // ...
];