SSO with Azure AD SAML Authentication
Zabbix is a powerful open-source monitoring solution that can monitor various services, servers, and network devices. In this blog, I will show how I setup Zabbix to allow SAML authentication with JIT user provisioning.
SAML Authentication w/JIT
Components
Zabbix Server: The core monitoring system where authentication and user provisioning occur. The server must support SAML-based authentication and JIT provisioning, which involves configuring it to accept SAML assertions from Azure AD, mapping those attributes to Zabbix users, and automatically creating or updating user accounts as needed.
Domain: A registered domain (e.g., example.com) is required to host the Zabbix server and to configure relevant DNS records. The domain ensures proper routing, secure certificates (for HTTPS), and consistent user identity references during SAML exchanges between Azure AD and Zabbix.
Azure AD Account: Your Azure Active Directory instance acts as the Identity Provider (IdP). It stores user identities, groups, and roles, and handles authentication. Configuring an application in Azure AD allows it to issue SAML assertions to Zabbix, containing user details and group memberships for JIT provisioning.
User Groups in Zabbix: Once Azure AD provides user information via SAML, Zabbix can assign users to predefined user groups. User groups help organize users based on their roles or responsibilities, making it easier to apply permissions and manage access collectively. During provisioning, users may be auto-assigned to groups based on attributes or mapping rules defined in the SAML configuration.
User Roles in Zabbix: User roles define a set of permissions and access levels within Zabbix. When a user is provisioned via SAML/JIT, they can be assigned a role (directly or indirectly through group membership). Roles determine what dashboards, hosts, or configuration options a user can see or modify, ensuring appropriate access control based on their job function.
‣ Prerequisites
• Zabbix Server
• Azure AD Account
• Domain
‣ My Setup
-
Dell PowerEdge R720
-
Intel Xeon E5-2680 v2 @ 2.80GHz
-
256GB RAM
-
7TB Storage
-
4 Cores
-
8GB RAM
-
80GB Storage
-
Zabbix-HA1 : 10.33.99.101
-
Zabbix-HA2 : 10.33.99.102
-
Zabbix-DB1 : 10.33.99.103
-
Virtual IP : 10.33.99.105
‣ User Management
• USER GROUP •
I need a default user group that users will be placed in upon their initial login.
To create a group I went to Users > User groups.
I then made a group for called Networking, who will have access to all network devices.
Group name: I named it ‘Networking’.Users: I don’t have users so I left it blank.Enabled: Made sure to enable the group.
Then I went to the ‘Template permissions‘ tab and clicked Select.
Here I chose ‘Template/Network devices‘.
I then set Permissions to Read-write, and clicked ‘Add’.
• USER ROLE •
I then needed to create a default role that will be given to users on their first sign-in.
I went to Users > User roles.
I made the following permission changes.
Name: User+, they will have a bit more access than a regular user.User type– Admin, otherwise it won’t let me make certain changes.Data collection– I deselected everything except Maintenace.
Then scrolled down to ‘Access to actions‘ and delected “Manage scheduled reports” and “Manage SLA“.
When they log in, they will only see “Maintenance” under Data Collection.
‣ Azure AD
Note
If you’re following along, you’ll need a working domain for the following section. I have a tutorial on how to set 1 up using Cloudflare, pfSense and HAProxy in the prerequisites section.
• Security Group •
I only wanted people assigned to a certain security group to have access to Zabbix.
First, I logged in to the Entra Identity portal and went to Groups > All groups.
I then clicked on New Group.
Group type– SecurityGroup name– Zabbix, so that it’s easily identifiable.Membership type– AssignedMembers– I then assigned some users to the group.
I then clicked on New Group.
• Application •
I now needed to create the application and link it to my Zabbix domain.
On the left-side menu I went to Applications > Enterprise applications.
I clicked on ‘Create your own application’, and selected “Integrate any other application you don’t find in the gallery’.
Then went to ‘Users and group’.
and added the Zabbix group I created earlier.
Next, I went to ‘Sign sign-on‘.
I select SAML as the sign-on method.
I fill out the Basic SAML Configuration.
Identifier– https://<domain>/zabbix/spReply URL– https://<domain>/index_sso.php?acs
I then create the following Attributes & Claims.
Identifier– https://<domain>/zabbix/spReply URL– https://<domain>/index_sso.php?acs
Note
To create a claim, you don’t have to lookup the attributes. You can select 1 from the “Source attribute” drop-down menu, which are self explanatory.
The SAML Certificates section will be automatically populated. I just downloaded the certificate so that I can paste it’s contents into a new file within the Ubuntu server.
• Zabbix Server •
I then created the new file within my Zabbix servers (if you’re using high availability you’ll need to create the cert on all servers, but not the database server), and pasted the contents of the certificate file.
nano /usr/share/zabbix/conf/certs/idp.cert
Note
To copy and paste the key:
I first opened the cert with Notepad.
Highlighted everything.
Then within Mobaxterm you can right-click to paste.
Then I changed the cert’s permissions.
sudo chmod 644 /usr/share/zabbix/conf/certs/idp.cert
I then edited the zabbix-conf.php file.
sudo nano /usr/share/zabbix/conf/zabbix.conf.php
I added the following 2 lines at the bottom of the file.
$SSO['IDP_CERT'] = 'conf/certs/idp.cert';
$SSO['SETTINGS'] = ['strict' => false, 'baseurl' => "https://<domain>/", 'user_proxy_headers' => true];
conf/certs/idp.cert– This string specifies the path to the IdP’s certificate. This certificate is essential for securely validating the signatures on SAML assertions or similar security tokens provided by the IdP during the SSO process.user_proxy_headers' => true– This setting allows the application to trust proxy headers, such asX-Forwarded-For, which are used to determine the client’s original IP address when the application is behind a proxy. This can be important for applications deployed in environments where load balancers or reverse proxies handle incoming traffic.
Next I edited the zabbix.conf file.
sudo nano /etc/nginx/conf.d/zabbix.conf
I changed the port to listen on 80, and I added the domain name.
server {
listen 80;
server_name 10.33.99.30 <domain>;
Then reloaded nginx.
sudo systemctl reload nginx
• Zabbix Frontend •
Now to setup the frontend so users can login with SSO.
First, I went to Users > Authentication.
On the Authentication tab I have to select a deprovisioned users group or else it won’t let me setup SAML.
The only option is ‘Disabled’.
For the next part I needed the URL’s provided at the ‘Set up Zabbix’ section.
Onto the SAML settings tab.
- I enabled SAML authentication.
- I enabled JIT provisioning
IdP entity ID– This is the ‘Microsoft Entra Identifier’.SSO service URL– This is the ‘Login URL’.SLO service URL– This is the ‘Logout URL’.Username attribute– This is the ‘Attributes & Claims’ I setup earlier, which is for user.givenname.SP name ID format– This is the ‘Identifier (Entity ID)’.- I enabled ‘Configure JIT provisioning’.
Then I scrolled down and configured the attributes.
Group name attribute– The name has to match the user.groups attribute name.User name attribute– The name has to match the user.givenname attribute name.User last name attribute– The name has to match the user.surname attribute name.- User group mapping
SAML group pattern– The name has to match the security group name setup in Entra Identity.User groups– The group you want to assign them once they log into Zabbix.User role– The role they will be assigned when they log into Zabbix.
- I enabled SCIM provisioning.
Now if you go back to the login screen there will be a link for ‘Sign in with Single Sign-On (SAML)’.
Finally, users can sign in using their Microsoft credentials. If you have 2FA setup, it’ll prompt them for their 2FA code as well.
