11 配置 Okta 启用 SAML

本节介绍如何配置 Okta 以启用 Zabbix 的 SAML 2.0 身份验证。

Okta 配置

1. 前往 https://okta.com 注册或登录您的帐户.

2. 在 Okta 页面中找到Applications → Applications并点击 "Add Application" ().

3. 点击 "Create New App" (). 在弹出窗口中，选择 Platform: , Sign on method: SAML 2.0 并点击 "Create" 按钮.

4. 根据您的喜好填写 General settings 选项卡（第一个选项卡）并点击 "Next".

5. 在 Configure SAML 选项中输入下面提供的值并点击"Next"按钮.

• 在 GENERAL 部分:
  • Single sign on URL: https://<your-zabbix-url>/ui/index_sso.php?acs
    复选框 Use this for Recipient URL and Destination URL 应为勾选的)
  • Audience URI (SP Entity ID): zabbix
    请注意，此值将在 SAML 用作程序唯一的标识符（如果不匹配，则将拒绝操作）。可以在此字段中指定 URL 或任何数据字符串
  • Default RelayState:
    将此字段为空;如果需要自定义, 可以在Zabbix的 Administration → Users 设置中添加它.
  • 根据您的喜好填写其他字段。

• 在 ATTRIBUTE STATEMENTS (OPTIONAL) 添加一个属性语句:
  • Name: usrEmail
  • Name format: Unspecified
  • Value: user.email

6. 在下一个选项卡中，选择"I'm a software vendor. I'd like to integrate my app with Okta"，然后点击"Finish"。

7. 导航至 Assignments 选项，并点击"Assign" , 然后从下拉列表中选择 Assign to People .

8. 在弹出窗口中，将创建的应用分配给使用SAML 2.0身份验证的Zabbix人员，然后按 "Save and go back".

9. 导航到Sign On选项卡，然后按"View Setup Instructions"按钮。新选项卡将显示设置说明;在配置Zabbix时保持此选项卡打开。

Zabbix 配置

1. 在 Zabbix 中，转到Administration → Authentication 中的 SAML 设置，并将 Okta 设置指令中的信息复制到相应的字段中

• Identity Provider Single Sign-On URL → SSO service URL
• Identity Provider Issuer → IdP entity ID
• Username attribute → Attribute name (usrEmail)
• SP entity ID → Audience URI

2. 将 Okta 设置说明页面中提供的证书下载到 ui/conf/certs 文件夹中，作为 idp.crt，并设置权限为 644：

chmod 644 idp.crt

请注意，如果您已从旧版本升级到Zabbix 5.0，则还需要手动将这些行添加到zabbix.conf.php文件中 (located in the //ui/conf/ // directory):

// Used for SAML authentication.
       $SSO['SP_KEY'] = 'conf/certs/sp.key'; // Path to your private key.
       $SSO['SP_CERT'] = 'conf/certs/sp.crt'; // Path to your public key.
       $SSO['IDP_CERT'] = 'conf/certs/idp.crt'; // Path to IdP public key.
       $SSO['SETTINGS'] = []; // Additional settings

有关更多详细信息的说明。请参阅 SAML Authentication

3. 如果Assertion Encryption已设置为在 Okta 中加密，则选中 "Assertions" 参数的Encrypt 也应在Zabbix中标记

4. 按"Update"按钮保存这些设置。

SCIM provisioning

1. To turn on SCIM provisioning, go to "General" -> "App Settings" of the application in Okta.

Mark the Enable SCIM provisioning checkbox. As a result, a new Provisioning tab appears.

2. Go to the "Provisioning" tab to set up a SCIM connection:

• In SCIM connector base URL specify the path to the Zabbix frontend and append api_scim.php to it, i.e.:
  https://<your-zabbix-url>/zabbix/api_scim.php
• Unique identifier field for users: email
• Authentication mode: HTTP header
• In Authorization enter a valid API token with Super admin rights

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

3. Click on Test Connector Configuration to test the connection. If all is correct a success message will be displayed.

4. In "Provisioning" -> "To App", make sure to mark the following checkboxes:

• Create Users
• Update User Attributes
• Deactivate Users

This will make sure that these request types will be sent to Zabbix.

5. Make sure that all attributes defined in SAML are defined in SCIM. You can access the profile editor for your app in "Provisioning" -> "To App", by clicking on Go to Profile Editor.

Click on Add Attribute. Fill the values for Display name, Variable name, External name with the SAML attribute name, for example, user_name.

Extenal namespace should be the same as user schema: urn:ietf:params:scim:schemas:core:2.0:User

6. Go to "Provisioning" -> "To App" -> "Attribute Mappings" of your application. Click on Show Unmapped Attributes at the bottom. Newly added attributes appear.

7. Map each added attribute.

8. Add users in the "Assignments" tab. The users previously need to be added in Directory -> People. All these assignments will be sent as requests to Zabbix.

9. Add groups in the "Push Groups" tab. The user group mapping pattern in Zabbix SAML settings must match a group specified here. If there is no match, the user cannot be created in Zabbix.

Information about group members is sent every time when some change is made.