Zabbix SAML Integration

This document explains how to implement Monosign with Zabbix. It covers Single Sign-On. Before you continue, it is better to start with Zabbix’s Single Sign-On implementation page.

Monofor has no responsibility to do Zabbix configurations. If you need support please contact Zabbix Support Services.

📑 Instructions

This documentation contains 4 main steps for integration.

1. Creating an Application on Monosign

2. Configuration Single Sign-On for Zabbix

3. Assign a user to the Zabbix application

4. Sign In Test

1- Creating an Application on Monosign

Create application on Monosign and configure your access policy. Once you create, click “Keys” and add a new Access Key for SAML Key for access.

This information will be necessary during the configuration of the application.

Configuration details for the Zabbix application are provided as follows:

Change Assertion Consumer URL, Audience, Entity Id, Name Id, Logout Url, Attribute Mapping and Group Mapping.

To ensure that the application has access to user groups, follow these steps:

1. If the application hasn't been configured yet, click the “Edit” option for the application.

2. In the application settings, navigate to the “Source, Provider, and Profile” tab.

3. Configure the “User Access Type“ and “User Group Access Type” as “Only Assigned Users.”

Configuring this setting will allow the application to access by user groups when users sign in.

2- Configuration Single Sign-On for Zabbix

As it highlighted at the beginning of document, please check out the Zabbix’s SSO configuration page first.

Please add your Zabbix settings to the application. The following information is needed for your configuration.

Below information needed before configure the Zabbix.

Property	Value
Enable SAML authentication	Enable
Enable JIT provisioning	Enable
IdP entity ID	https://account.monofor.com/saml/468dcbfb-f55c-4235-a8d8-1d362b98865c
SSO service URL	https://account.monofor.com/saml/468dcbfb-f55c-4235-a8d8-1d362b98865c/login
SLO service URL	https://account.monofor.com/saml/468dcbfb-f55c-4235-a8d8-1d362b98865c/logout
Username attribute	UserName
SP entity ID	zabbix
Configure JIT provisioning	Enable
Group name attribute	Groups
User name attribute	FirstName
User last name attribute	LastName
User group mapping
Media type mapping

Open Zabbix Users → Authentication → Authentication

If JIT provisioning is enabled, a user group for deprovisioned users must be specified in the Authentication tab.

Open Zabbix Users → Authentication → SAML settings

Setup Zabbix server to trust Monosign IdP certificate

Download Monosign IdP certificate.

Rename this certificate as monosign.crt and put under /usr/share/zabbix/ui/conf/certs on the Zabbix Server.

Change Zabbix configuration to trust this certificate.

Open this file /etc/zabbix/web/zabbix.conf.php

// Used for SAML authentication.
// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
//$SSO['SP_KEY']                        = 'conf/certs/sp.key';
//$SSO['SP_CERT']                       = 'conf/certs/sp.crt';
$SSO['IDP_CERT']                = 'conf/certs/monosign.crt';
//$SSO['SETTINGS']              = [];

Now, go back to Monosign and give access to your users and try login.

3- Assign a user to the Zabbix application

Please follow below instructions on how to assign a user to the Zabbix application. In this example john.smith will assign to the application access.

4- Sign In Test

Now try login. Navigate to the Zabbix application login page. Click Log in with Monosign.

If everything is well configured, the page will be redirected to Monosign’s login page. It can be log in passwordless with QR code or type username and password.

When the user logged in, the page will be redirected to the Zabbix page.