Zabbix SAML Config using ActiveDirectory WIN 2016-ADFS

Question

Am stuck with Zabbix SAML setting. There is no proper setting for ADFS in zabbix. As new to SSO, it's every difficult and understand SSO in ADFS. Does anyone properly configured Zabbix with ADFS ?

Zabbix SSO URL : https://xx.xxx.xx.xx/index_sso.php?acs (Same as given to ADFS Endpoint)

Here is my Zabbix Version which I tested

Zabbix Version : 5.45 Using appliance qcow2 (front end nginx)

Zabbix Version : 6.4X Latest stable version appliance qcwo2 (front end nginx)

Error : getting in User attribute not found both the versions. Give Attriubute NameID or Name ID same error getting on with option using Case-Sensitive Login in Zabbix Saml setting.

Nginx Logs:

FastCGI sent in stderr: "PHP message: PHP Warning: Undefined variable $user_attributes in /usr/share/zabbix/index_sso.php on line 194PHP message: PHP Fatal error: Uncaught TypeError: array_key_exists(): Argument #2 ($array) must be of type array, null given in /usr/share/zabbix/index_sso.php:194 Stack trace: #0 {main} thrown in /usr/share/zabbix/index_sso.php on line 194" while reading response header from upstream, client: xx.xxx.x.xx, server: , request: "POST /index_sso.php?acs HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/zabbix.sock:", host: "xx.xxx.xxx.xx", referrer: "https://stack.example.local/"

Below screenshot of Zabbix SAML setting

ADFS setting screenshot as below

Relying party Identifiener https://xx.xx.xx.xx/ (which is given same as zabbix SP entity ID field )

ADFS Claim Rule

Answer 1

Finally, I made zabbix SAML integration with ADFS-Win-2016 Successfully.

Here my workaround and configuration reference screenshot as below

Zabbix SAML Configuration:

Create an AD user in Zabbix with fully qualified domain name login (Note: You can give any password while creation user in zabbix)

Example : [email protected] (make sure User exits in Active directory server)

Here my ADFS Relying party trust Properties for zabbix-AdFs

Claim For zabbix-AdFs

Now try to login Zabbix URL https://10.10.1.2 URL redirects to https://10.10.1.2/index_sso.php?acs

or choose url from ADFS idps

https://adz.addomain.local/adfs/ls/idpinitiatedsignon.aspx

Choose zabbix-AdFs

Login zabbix user as

UserName : [email protected]

Password : XXXXXXXXXXXXX (ActiveDirectory Password)

Note If you logged in windows using domain account(addomain.local) then it doesn't ask password using idp url

JIT (Just-In-Time) provisioning for automatic creation of Active Directory (AD) users and mapping of user groups and roles in Zabbix is still pending. Please keep everyone informed on this progress.

If anyone is aware of how to enable SAML logging in zabbix.config.php, please share the steps to activate debug mode and specify where to find the log files.

Thank You!