how to integrate keycloak with Zabbix for SSO (SAML)5 min read
Hi All, this document shows you how to integrate keycloak with Zabbix for SSO.
Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines, and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load, and disk space consumption.
Keycloak is an open-source software product to allow single sign-on with Identity Management and Access Management aimed at modern applications and services. As of March 2018, this JBoss community project is under the stewardship of Red Hat who uses it as the upstream project for their RH-SSO product.
By the release of Zabbix 5.0 supports for SSO integration with most common authorities such as Microsoft ADFS, Okta, OpenAM, etc,
In My case as I use keycloak for my all applications SSO integration. So Googled in search of how to enable SSO for Zabbix with. What should I say no luck!! I didn’t get any proper documents saying the exact steps. I have seen some documents showing integration with keycloak and Zabbix using keycloak proxy or gatekeeper. As Zabbix came with a built-in feature I don’t want to use any other application to make this happen.
After analyzing the integration with other Entities such as Okta and Azure AD I made it working using keycloak. So I thought it will be a help for others who prefer the Zabbix SSO integration with keycloak.
The current release of Zabbix supports SAML as the authentication protocol. Let’s hope Zabbix comes with Oauth integration also in the upcoming releases.
Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions.
So let’s move to the integration Part
Step 1: Let’s Generate the certificate for Zabbix. Navigate to /usr/share/zabbix/conf/certs
The above command will generate a certificate and private key for the SAML key exchange. You can change the CN name from the above command to your desired name.
Step 2: log in to keycloak and get the IDP metadata descriptor and copy the 509 formatted certificates. Below is the sample URL as per my env. change the realm name as per yours.
Again navigate to /usr/share/zabbix/conf/certs
and create a file called idp.crt
and copy the 509 content between
make sure that your certificate is copied between these two lines BEGIN and END
the final certificate looks like this.
change the permission of the file.
Step 3: Now goto keycloak and create a client called Zabbix as the client id and choose SAML as the client protocol
Step 4: Once the client is created mark the below changes to the configuration are made.
Name ID format: email
Master SAML Processing URL: https://zabbix.techrunnr.com/zabbix/index_sso.php?acs
Configure the valid Redirect URL with your Zabbix URL
The above URL calls the SSO URL of the Zabbix application with validates the Username, Password, and other attributes from the IDP(Identity Provider).
replace with URL with your Zabbix URL.
Open the Fine Grain SAML Endpoint Configuration
Logout Service Redirect Binding URL: https://zabbix.techrunnr.com/zabbix/index_sso.php?sls
The above URL is single logout URL which calls when user logout from IDP via Zabbix application.
Make sure you have enabled all the config as below screenshot.
Step 5: Create the user mapper.
Click on the mapper from the client Zabbix and select create.
Enter the Name as zabbixuser
Mapper Type: User attribute
User attribute: zabbixuser
Friendly Name: zabbixuser
SAML Attribute Name: zabbixuser
Step 6: Now create a user and goto attribute tab under the user-created
add an attribute called zabbixuser and the value as the username in my case it is email@example.com
Step 7: Goto client scopes and select role_list . Click on the mapper tap and select role_list and enable Single Role Attribute
Step 8: Login Zabbix as an admin privileged user. Under Administration -> Authentication -> Select SAML setting tab and configure as follows.
Enable SAML authentication: enabled
IdP entity ID : https://sso.techrunnr.com/auth/realms/<realmname>
SSO service URL: https://sso.techrunnnr.com/auth/realms/<realmname>/protocol/saml
SLO service URL: https://sso.techrunnr.com/auth/realms/<realmname>/protocol/saml
Username attribute: zabbixuser
SP entity ID: zabbix
SP name ID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
make sure that you replaced the realm name with your desired realm name.
Step 9: Now Create a user in Zabbix with the same username which you have created in keycloak and save.
Step 10: Logout from the Zabbix application and try to login with Sign in with Single Sign-On (SAML) button. This will take you to the keycloak login page and after successful login, you will be redirected to Zabbix application.
When you logout from Zabbix using SSO, this log you out from keycloak, and after successful log out you will be back to the login screen of Zabbix.
Hope this helps you to the setting up of SSO for Zabbix with keycloak.