Integrations · SAML 2.0
Zabbix SSO
Configure SAML 2.0 SSO for Zabbix monitoring platform (≥ 6.0) with Clavex as the Identity Provider. Supports SP-initiated and IdP-initiated flows, and attribute-based role mapping.
Prerequisites
- Zabbix ≥ 6.0 with PHP SAML extension (
php-xml,simplesamlphp) - Zabbix Superadmin access
- Clavex at
https://id.acme.eu, org slugacme
SAML library: Zabbix uses SimpleSAMLphp or the
OneLogin/php-saml
library. Ensure the PHP SAML extension is enabled: php -m | grep xml.
Step 1 — Clavex IdP Parameters
| Parameter | Value |
|---|---|
| IdP Entity ID | https://id.acme.eu/acme/saml |
| SSO URL (HTTP-POST) | https://id.acme.eu/acme/saml/sso |
| SLO URL | https://id.acme.eu/acme/saml/slo |
| Certificate | Base64 from /acme/saml/idp/metadata |
Step 2 — Configure Zabbix SAML Authentication
- Log in to Zabbix → Administration → Authentication
- Select SAML tab
- Fill in:
Field Value IdP entity ID https://id.acme.eu/acme/samlSSO service URL https://id.acme.eu/acme/saml/ssoSLO service URL https://id.acme.eu/acme/saml/sloUsername attribute emailSP entity ID https://zabbix.acme.euSP name ID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressSign assertions YesSign AuthN requests No(or Yes with SP key)IdP certificate Paste the X.509 certificate from Clavex metadata - Enable SAML
Step 3 — Register Zabbix as SP in Clavex
$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/saml/sp \
-H 'Authorization: Bearer $ADMIN_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"entity_id": "https://zabbix.acme.eu",
"acs_url": "https://zabbix.acme.eu/index.php?saml_sso=1",
"slo_url": "https://zabbix.acme.eu/index.php?saml_slo=1",
"name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"sign_assertions": true
}'
Step 4 — User Provisioning
Zabbix does not auto-provision users from SAML by default. Create users in Zabbix with usernames matching the Clavex email/username:
# Get auth token
$ TOKEN=$(curl -s -X POST https://zabbix.acme.eu/api_jsonrpc.php \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"user.login","params":{"user":"Admin","password":"$ZBX_PW"},"id":1}' \
| jq -r .result)
# Create user (userdirectory: 0 = internal, use SAML user type) $ curl -s -X POST https://zabbix.acme.eu/api_jsonrpc.php \ -H 'Content-Type: application/json' \ -d "{\"jsonrpc\":\"2.0\",\"method\":\"user.create\",\"params\":{\"username\":\"alice@acme.eu\",\"name\":\"Alice\",\"surname\":\"Smith\",\"autologin\":0,\"lang\":\"en_US\",\"usrgrps\":[{\"usrgrpid\":\"8\"}]},\"auth\":\"$TOKEN\",\"id\":2}"
# Create user (userdirectory: 0 = internal, use SAML user type) $ curl -s -X POST https://zabbix.acme.eu/api_jsonrpc.php \ -H 'Content-Type: application/json' \ -d "{\"jsonrpc\":\"2.0\",\"method\":\"user.create\",\"params\":{\"username\":\"alice@acme.eu\",\"name\":\"Alice\",\"surname\":\"Smith\",\"autologin\":0,\"lang\":\"en_US\",\"usrgrps\":[{\"usrgrpid\":\"8\"}]},\"auth\":\"$TOKEN\",\"id\":2}"
Zabbix 6.4+ User Directories: Zabbix 6.4 adds LDAP/SAML User Directories
with auto-provisioning and group-to-role mapping. Configure via
Administration → Authentication → User directories.
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| SAML button not shown | SAML not enabled in Zabbix | Administration → Authentication → SAML → Enable SAML authentication |
No permissions for system access |
User exists but has no user group in Zabbix | Add the user to a Zabbix user group with appropriate permissions |
| PHP SAML error in Zabbix logs | Missing PHP extensions | Install php-xml, php-mbstring, and php-openssl |
| Assertion validation fails | IdP certificate not pasted correctly in Zabbix | Paste only the Base64 content without -----BEGIN CERTIFICATE----- headers |
| Login loop | Username attribute mismatch | Ensure Username attribute in Zabbix matches the claim name sent by Clavex |