Overview:
This documentation shows How-To setup Zitadel and Zabbix for JIT (Just in Time). This is a basic demonstration of settings that are needed. More settings could be configured for a Production environment.
Prerequisite:
- Latest Version of Zabbix Server with HTTPS
- Zitadel-2.42.11 Self-Hosting with HTTPS
- Ubuntu 22.0.4
- Nginx Proxy
Log into Zitadel instance.
Navigate to Organization ---> Projects.
Click "Create New Project" and set the project name, Click continue.
Under Application click "New".
There are two naming procedures.
-
Name the Application
-
Choose the SAML Application then name it (zabbix). Click continue.
Click the Application called Zabbix.
Open a text file and place the following in it, The following steps are using a place holder called https://zabbix.domain.com. The example below replace it by a FQDN or IP Address of the Zabbix-server.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2023-10-26T03:08:08Z"
cacheDuration="PT604800S"
entityID="https://zabbix.domain.com/">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://zabbix.domain.com/index.php" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://zabbix.domain.com/index_sso.php?acs" index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
Save the file as xml.
Now upload XML file into Zitadel.
Click save.
Under the Zabbix Application, click the tic box called "Assert Roles on Authentication" and "Check for Project on Authentication".
The SAML Metadata is located within the issuer domain. This would give us $CUSTOM-DOMAIN/saml/v2/metadata.
Example:
https://zitadel.com/saml/v2/metadata.
Copy the certificate from the /saml/v2/metadata/. In this example I used the third one from the top. This will be used for Zabbix idp.crt file.
Once the certificate is copied from Zitadel, then place it in a file called idp.crt in zabbix-server directory /etc/zabbix/web/.
Example:
vi /etc/zabbix/web/idp.crt
Ensure the following configuration is in idp.crt file.
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-------
Once completed save the file and exit.
vi /etc/zabbix/web/zabbix.conf.php
I used certificates created from Lets encrypt (In my testing phase) for Zabbix php file. Bottom of the file, uncomment the last 4 lines and add the full path to all three certificates.
All three certificates can be in the directory /etc/zabbix/web/. Any directory would work, so long as the full path is configured and Zabbix has access to the certificates.
Configuration completed as shown below.
// Used for SAML authentication.
// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set
extra settings.
$SSO['SP_KEY'] = '/etc/zabbix/web/fullchain.key';
$SSO['SP_CERT'] = '/etc/zabbix/web/privkey.crt';
$SSO['IDP_CERT'] = '/etc/zabbix/web/idp.crt';
$SSO['SETTINGS'] = [];
Edit the following file. This will prevent zabbix removing ACS endpoint during the session.
vi /usr/share/zabbix/vendor/onelogin/php-saml/src/Saml2/Utils.php
Change the following line from this…
private static $_proxyVars = false;
To this…
private static $_proxyVars = true;
Save and exit file. At this point restart Zabbix service.
systemctl restart zabbix-server
Login Zabbix Web UI and navigate to Users --> Authentication.
The Authentication section, disable "Deprovisioned users group".
Click the "SAML settings" tab,then enable following tic boxes.
Enable SAML authentication
Enable JIT provisioning
Configure the following settings section.
IdP entity ID: https://zitadel.domain.com/saml/v2/metadata
SSO service URL: https://zitadel.domain.com/saml/v2/SSO
SLO service URL: https://zitadel.domain.com/saml/v2/SLO
Username attribute: UserName
SP name ID format: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
Click the tic box "Configure JIT provisioning".
Edit these settings as shown.
Group name attribute: zabbix
User name attribute: userName
User last name attribute: lastName
Ensure the tic box is enabled for SCIM provisioning.
In this section we are matching Group name attribute && SAML group pattern with Zitadel users metadata.
Group name attribute is called zabbix. Under Zitadel users metadata this is called key
The SAML group patterns called admin (full access) and reader ( guest group & roles). Under Zitadel users metadata this is called Value.
Login to Zitadel and add users to the Project under AUTHORIZATIONS section.
Configure metadata for each user/s. Click on the user that has AUTHORIZATIONS for that project. On the left pane you should see Metadata section. This should match the configures in Goup mappings.
Example:
Click Save.
Createa a Zitadel action to send the user metadata with the SAML responce. Under the Action tab, navigate to the Script section and click the button called "New" and apply this JavaScript. Copy and Paste.
/**
* Add an custom attribute(s) to the SAMLResponse by pulling the value from
* metadata added to the user config.
*
* Flow: Complement SAMLResponse, Triggers: Pre SAMLResponse creation
*
* @param ctx
* @param api
*/
function setCustomAttribute(ctx, api) {
const user = ctx.v1.getUser()
let metadata = ctx.v1.user.getMetadata()
if (metadata === undefined || metadata.count == 0) {
return
}
metadata.metadata.forEach(md => {
api.v1.attributes.setCustomAttribute(md.key,'', md.value);
})
}
Click Save.
Now create a Flow, this is below the Script section. The drop down, choose Complement SAMLResponse then click Add trigger button.
Choose Trigger Type Pre SAMLResponse creation
Action, choose the script name created setCustomAttribute
Click save.
Example:
You should see the link to SSO.
