how to integrate keycloak with Zabbix for SSO (SAML)5 min read

Prabhin Prabharkaran Administrator
DevOps Engineer

He is a Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!

follow me

Hi All, this document shows you how to integrate keycloak with Zabbix for SSO.
Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines, and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load, and disk space consumption.

Keycloak is an open-source software product to allow single sign-on with Identity Management and Access Management aimed at modern applications and services. As of March 2018, this JBoss community project is under the stewardship of Red Hat who uses it as the upstream project for their RH-SSO product.

By the release of Zabbix 5.0 supports for SSO integration with most common authorities such as Microsoft ADFS, Okta, OpenAM, etc,
In My case as I use keycloak for my all applications SSO integration. So Googled in search of how to enable SSO for Zabbix with. What should I say no luck!! I didn’t get any proper documents saying the exact steps. I have seen some documents showing integration with keycloak and Zabbix using keycloak proxy or gatekeeper. As Zabbix came with a built-in feature I don’t want to use any other application to make this happen.

After analyzing the integration with other Entities such as Okta and Azure AD I made it working using keycloak. So I thought it will be a help for others who prefer the Zabbix SSO integration with keycloak.

The current release of Zabbix supports SAML as the authentication protocol. Let’s hope Zabbix comes with Oauth integration also in the upcoming releases.
Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions.

So let’s move to the integration Part
Step 1: Let’s Generate the certificate for Zabbix. Navigate to /usr/share/zabbix/conf/certs

cd /usr/share/zabbix/conf/certs

openssl req -x509 -sha256 -newkey rsa:2048 -keyout sp.key -out sp.crt -days 3650 -nodes -subj '/CN=my common name'

The above command will generate a certificate and private key for the SAML key exchange. You can change the CN name from the above command to your desired name.

Step 2: log in to keycloak and get the IDP metadata descriptor and copy the 509 formatted certificates. Below is the sample URL as per my env. change the realm name as per yours.

https://sso.techrunnr.com/auth/realms/<realmname>/protocol/saml/descriptor

Again navigate to /usr/share/zabbix/conf/certs

cd /usr/share/zabbix/conf/certs

and create a file called idp.crt
and copy the 509 content between

make sure that your certificate is copied between these two lines BEGIN and END

-----BEGIN CERTIFICATE-----

certificate-content


-----END CERTIFICATE-----

the final certificate looks like this.


change the permission of the file.

chmod 644 idp.crt
chmod +x idp.crt

Step 3: Now goto keycloak and create a client called Zabbix as the client id and choose SAML as the client protocol

Step 4: Once the client is created mark the below changes to the configuration are made.

Name ID format: email

Master SAML Processing URL: https://zabbix.techrunnr.com/zabbix/index_sso.php?acs

Configure the valid Redirect URL with your Zabbix URL

The above URL calls the SSO URL of the Zabbix application with validates the Username, Password, and other attributes from the IDP(Identity Provider).

replace with URL with your Zabbix URL.

Open the Fine Grain SAML Endpoint Configuration

Logout Service Redirect Binding URL: https://zabbix.techrunnr.com/zabbix/index_sso.php?sls

The above URL is single logout URL which calls when user logout from IDP via Zabbix application.

Make sure you have enabled all the config as below screenshot.

Step 5: Create the user mapper.
Click on the mapper from the client Zabbix and select create.

Enter the Name as zabbixuser
Mapper Type: User attribute
User attribute: zabbixuser
Friendly Name: zabbixuser
SAML Attribute Name: zabbixuser

and save.

Step 6: Now create a user and goto attribute tab under the user-created

add an attribute called zabbixuser and the value as the username in my case it is prabhin.mp@techrunnr.com

Step 7: Goto client scopes and select role_list . Click on the mapper tap and select role_list and enable Single Role Attribute

 

Step 8: Login Zabbix as an admin privileged user. Under Administration -> Authentication -> Select SAML setting tab and configure as follows.

Enable SAML authentication: enabled

IdP entity ID : https://sso.techrunnr.com/auth/realms/<realmname>
SSO service URL: https://sso.techrunnnr.com/auth/realms/<realmname>/protocol/saml
SLO service URL: https://sso.techrunnr.com/auth/realms/<realmname>/protocol/saml
Username attribute: zabbixuser
SP entity ID: zabbix
SP name ID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress


make sure that you replaced the realm name with your desired realm name.

Step 9: Now Create a user in Zabbix with the same username which you have created in keycloak and save.

Step 10: Logout from the Zabbix application and try to login with Sign in with Single Sign-On (SAML) button. This will take you to the keycloak login page and after successful login, you will be redirected to Zabbix application.

When you logout from Zabbix using SSO, this log you out from keycloak, and after successful log out you will be back to the login screen of Zabbix.

Hope this helps you to the setting up of SSO for Zabbix with keycloak.

© 2020, Techrunnr. All rights reserved.

#1
#2
#3
Questions Answered
Articles Written
Overall Points

Related posts

Leave a Reply