Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Zabbix 7 IT Infrastructure Monitoring Cookbook

You're reading from   Zabbix 7 IT Infrastructure Monitoring Cookbook Explore the new features of Zabbix 7 for designing, building, and maintaining your Zabbix setup

Arrow left icon
Product type Paperback
Published in Jul 2024
Publisher Packt
ISBN-13 9781801078320
Length 540 pages
Edition 3rd Edition
Tools
Concepts
Arrow right icon
Authors (2):
Arrow left icon
Nathan Liefting Nathan Liefting
Author Profile Icon Nathan Liefting
Nathan Liefting
Brian van Baekel Brian van Baekel
Author Profile Icon Brian van Baekel
Brian van Baekel
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Chapter 1: Installing Zabbix and Getting Started Using the Frontend 2. Chapter 2: Getting Things Ready with Zabbix User Management FREE CHAPTER 3. Chapter 3: Setting Up Zabbix Monitoring 4. Chapter 4: Working with Triggers and Alerts 5. Chapter 5: Building Your Own Structured Templates 6. Chapter 6: Visualizing Data, Inventory, and Reporting 7. Chapter 7: Using Discovery for Automatic Creation 8. Chapter 8: Setting Up Zabbix Proxies 9. Chapter 9: Integrating Zabbix with External Services 10. Chapter 10: Extending Zabbix Functionality with Custom Scripts and the Zabbix API 11. Chapter 11: Maintaining Your Zabbix Setup 12. Chapter 12: Advanced Zabbix Database Management 13. Chapter 13: Bringing Zabbix to the Cloud with Zabbix Cloud Integration 14. Index 15. Other Books You May Enjoy

Azure AD SAML user authentication and JIT user provisioning

In this recipe, we will use Security Assertion Markup Language (SAML) authentication, a widely used form of authentication in the IT world. The SAML standard allows us to exchange authorization data between applications, so we can authenticate between our Zabbix application and an authentication provider. We’ll be using this as a form of managing passwords for our Zabbix users. Please note that if you only set up user authentication with passwords with SAML or LDAP, you still have to create users with their permissions manually within Zabbix. To circumvent this, we can also set up Just In Time (JIT) user provisioning since Zabbix 6.4.

Getting ready

To get started with SAML authentication, we will need our configured Zabbix server from the previous recipe. It’s important that we have all the configured users from the previous recipe. We will also need something to authenticate with SAML. We will be using Microsoft Azure Active Directory (AD) SAML.

Make sure to set up users in your Azure AD before continuing with this recipe. You can use your existing AD users for authentication, so you can use this recipe with your existing AD setup.

We will be using the s_network user as an example as well as a new JIT_Admin user group in our Zabbix environment with no permissions set up. The Azure user looks as follows:

Figure 2.23 – The Azure Users and groups window

Figure 2.23 – The Azure Users and groups window

For JIT user provisioning, we also made sure to make this user part of a new zbx_admin group:

Figure 2.24 – The Azure users group details window

Figure 2.24 – The Azure users group details window

This group is just going to be an empty security group that we will use to assign permissions in Zabbix later:

Figure 2.25 – The Azure group details window

Figure 2.25 – The Azure group details window

To set up SAML, retrieve your SAML settings from your AD or another SAML provider. To work with Zabbix, we will need the following:

  • IdP entity ID
  • SSO service URL
  • SLO service URL
  • Username attribute
  • SP entity ID
  • SP name ID format

For the JIT user provisioning, we will need the following:

  • Group name attribute
  • User name attribute
  • User last name attribute
  • User group mapping

How to do it…

We start with the assumption that you have your Azure AD ready. Let’s see how we can configure SAML using our setup:

  1. Let’s navigate to the following URL: https://portal.azure.com/.
  2. After logging in, navigate to Azure AD and click on Enterprise Applications.
  3. Now click on + New Application to create our new application. At the next window, click on Create your own application:
Figure 2.26 – The Azure enterprise application creation page

Figure 2.26 – The Azure enterprise application creation page

  1. In the next window, name our new application Zabbix and click on the blue Create button:
Figure 2.27 – The Azure enterprise new application page

Figure 2.27 – The Azure enterprise new application page

  1. Select our new application from the list and click on Users and Groups to add the correct users. In our case, this will be s_network:
Figure 2.28 – The Azure enterprise application User addition

Figure 2.28 – The Azure enterprise application User addition

  1. If we are setting up JIT user provisioning, make sure to also add the zbx_admin group:
Figure 2.29 – The Azure enterprise application Group addition

Figure 2.29 – The Azure enterprise application Group addition

With JIT user provisioning, adding the group should be enough.

  1. You will also have to assign a role. Click on Select a role and add the role you want to use. When using JIT you can use the zbx_admin group, otherwise just add the user as User.
Figure 2.30 – Azure enterprise application role assignment

Figure 2.30 – Azure enterprise application role assignment

  1. Click on Select and then Assign.
  2. Now let’s move on to the SAML settings by clicking on Single sign-on in the sidebar.
  3. Now click on SAML on the page shown in the following screenshot and continue:
Figure 2.31 – The Azure enterprise application SAML option

Figure 2.31 – The Azure enterprise application SAML option

  1. Now at 1, we can add the following information, where the black marks are our Zabbix server URL:
Figure 2.32 – The Azure SAML setting 1

Figure 2.32 – The Azure SAML setting 1

  1. At 2, fill out the following:
Figure 2.33 – The Azure SAML setting 2

Figure 2.33 – The Azure SAML setting 2

  1. 3 will be automatically filled. Click on Download for Certificate (Base64):
Figure 2.34 – The Azure SAML setting 3

Figure 2.34 – The Azure SAML setting 3

  1. Log in to the Zabbix server CLI and create a new file with the following command:
    vim /usr/share/zabbix/conf/certs/idp.cert
  2. Paste the contents from the file downloaded in step 11 here and save the file.
  3. Now back at Azure for 4, we will get the following information:
Figure 2.35 – The Azure SAML setting 4

Figure 2.35 – The Azure SAML setting 4

  1. At the Zabbix frontend, go to the Users | Authentication | SAML settings page and fill in the following information:
Figure 2.36 – The Zabbix SAML settings

Figure 2.36 – The Zabbix SAML settings

  1. If you also want to use JIT user provisioning, enable it as seen in the previous screenshot as well as fill in the following information:
Figure 2.37 – The Zabbix SAML JIT settings

Figure 2.37 – The Zabbix SAML JIT settings

Important note

I have used the JIT_Admin user group as suggested in the Getting ready part of this recipe. Please use any user group and roles you see fit and make sure to integrate the JIT user provisioning into your own groups and permissions.

  1. If you have already created the s_network user and you aren’t going to use JIT user provisioning, go to Users | Users and change the s_network user to include the used Azure domain, for example:
Figure 2.38 – The Zabbix edit user screen for our SAML setup

Figure 2.38 – The Zabbix edit user screen for our SAML setup

If you are using JIT user provisioning, you can simply log in with the new user credentials using SAML authentication and it should create the user with the correct credentials.

  1. After following these steps, it should now be possible to log in with your user configured in Zabbix and use the password set in Azure AD for this:
Figure 2.39 – The Zabbix login window

Figure 2.39 – The Zabbix login window

How it works…

Zabbix SAML user authentication is by default used to centralize password management. In the past, we were not able to actually assign user groups and permissions to users via this setup. If we set it up without JIT user provisioning we can use it for simple password management.

This way, we can make sure it is easier for users to keep their passwords centralized:

Figure 2.40 – Zabbix SAML authentication diagram

Figure 2.40 – Zabbix SAML authentication diagram

Zabbix communicates with our Azure AD SAML component when we click the Sign in button. The user is then authenticated against your Azure AD user and a confirmation is sent back to the Zabbix server. Congratulations, you are now logged in to your Zabbix server.

However, since Zabbix 6.4 it is also possible to enable JIT user provisioning. This new feature allows us to also assign Zabbix User groups and roles according to user groups on our SAML server. As such, the whole process with JIT user provisioning included looks something like this:

Figure 2.41 – Zabbix SAML JIT authentication diagram

Figure 2.41 – Zabbix SAML JIT authentication diagram

There’s more…

We can do this kind of authentication not only with SAML but also with HTTP and LDAP. This way, you can choose the right form of advanced authentication for your organization.

Check out the Zabbix documentation for more information on the different forms of authentication: https://www.zabbix.com/documentation/current/en/manual/web_interface/frontend_sections/users/authentication

It’s also possible to work with an identity provider such as Okta or OneLogin, among others. This means your options aren’t limited to Azure AD: as long as it supports SAML, you can use it to authenticate against your Zabbix server.

You have been reading a chapter from
Zabbix 7 IT Infrastructure Monitoring Cookbook - Third Edition
Published in: Jul 2024
Publisher: Packt
ISBN-13: 9781801078320
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime