cd ..
EN
Security
Centralizing Identity: SAML SSO with Zabbix 7.0 and Authentik
R
Rodolfo Echenique
Automated Translation: This article was originally written in Spanish and translated by Gemini AI.
As a Network Engineer at Central Node, I know that managing local users across multiple applications can be a headache and a security risk. That’s why today we’re going to break down how to implement Single Sign-On (SSO) for Zabbix 7.0 using Authentik as the Identity Provider (IdP), a robust solution that centralizes identity, simplifies administration, and strengthens security.
1. Configuration in Authentik
First, we must prepare Authentik so it can provide the necessary information to Zabbix, especially user groups, which enable automatic permission assignment.
A. Create the Property Mapping for Groups
This mapping allows extracting and sending user groups within the SAML token.
- In Authentik, navigate to Customization → Property Mappings.
- Create a SAML Property Mapping with the following values:
- Name:
SAML Groups - SAML Attribute Name:
http://schemas.xmlsoap.org/claims/Group
- Name:
- For the Python expression, we use:
return [group.name for group in request.user.ak_groups.all()]
This ensures that all user groups are correctly included.
B. Create the SAML Provider
Under Applications → Providers → Create, select SAML Provider and configure it with the following parameters:
| Field | Value |
|---|---|
| Name | Zabbix Provider |
| Issuer | authentik |
| Binding | Post |
| Audience | zabbix |
| ACS URL | https://zabbix.yourdomain.com/zabbix/index_sso.php?acs |
| Signing Certificate | Select your certificate (e.g. authentik Self-signed) |
C. Assign Property Mappings
In the Provider’s Property Mappings tab, enable:
- ✓
authentik default SAML Mapping: Username - ✓ (key to avoiding SQL errors in Zabbix)
authentik default SAML Mapping: Name - ✓
authentik default SAML Mapping: Email - ✓ (created in step A)
SAML Groups
2. Certificate Management in Zabbix
Zabbix 7.0 requires the public certificate to be physically present on the server to validate SAML signatures. Key steps below:
- Export the public certificate in PEM format from Authentik (Never the private key!).
- On the Zabbix server, create the directory and file for the certificate:
mkdir -p /usr/share/zabbix/conf/certs/
nano /usr/share/zabbix/conf/certs/idp.crt
Paste the certificate contents, ensuring it starts with .
-----BEGIN CERTIFICATE-----Finally, adjust permissions so the web server can access it:
chown www-data:www-data /usr/share/zabbix/conf/certs/idp.crt
chmod 644 /usr/share/zabbix/conf/certs/idp.crt
3. Configuration in Zabbix (The Client)
Access Users → Authentication → SAML settings from the Zabbix web interface to complete the integration.
General Configuration
| Field | Value |
|---|---|
| IdP entity ID | authentik |
| SSO service URL | https://authentik.yourdomain.com/application/saml/zabbix/sso/binding/redirect/ |
| SLO service URL | https://authentik.yourdomain.com/application/saml/zabbix/slo/binding/redirect/ |
| Username attribute | http://schemas.goauthentik.io/2021/02/saml/username |
| SP entity ID | zabbix |
JIT Configuration (Just-In-Time)
| Field | Value |
|---|---|
| Group name attribute | http://schemas.xmlsoap.org/claims/Group |
| User name attribute | http://schemas.xmlsoap.org/claims/GivenName |
| User last name attr. | http://schemas.xmlsoap.org/claims/Surname |
User Group Mapping
| SAML group pattern | User groups | User role |
|---|---|---|
| * | Zabbix administrators | Admin role |
⚠️ Troubleshooting (Common Errors)
Error: idp_cert_or_fingerprint_not_found
Error: idp_cert_or_fingerprint_not_foundCause: Zabbix cannot find the file.
idp.crtSolution: Verify that the file exists at with permissions so the web server can read it.
/usr/share/zabbix/conf/certs/idp.crt644SQL Error: INSERT INTO users (...) VALUES (...)
SQL Error: INSERT INTO users (...) VALUES (...)Cause: JIT provisioning fails; first or last name is missing in Authentik, or the mapping is not selected.
Solution: Populate the "First Name" and "Last Name" fields in Authentik and ensure that the mapping is enabled.
authentik default SAML Mapping: NameError: ACS URL mismatch / Bad Request
Error: ACS URL mismatch / Bad RequestCause: Zabbix sends the URL over HTTP while Authentik requires HTTPS.
Solution: In , add this configuration to use proxy headers and define the base URL with HTTPS:
/etc/zabbix/web/zabbix.conf.php$SSO['SETTINGS'] = [
'use_proxy_headers' => true,
'baseurl' => 'https://zabbix.yourdomain.com/zabbix'
];
SAML SSO Architecture Visualization
sequenceDiagram participant User participant Zabbix participant Authentik User->>Zabbix: Access to Zabbix web interface Zabbix->>Authentik: Requests SAML authentication Authentik-->>User: Login page User->>Authentik: Credentials Authentik-->>Zabbix: SAML token with attributes and groups Zabbix->>User: Access granted (JIT provisioning)
Implementing SSO with SAML and Authentik not only improves the user experience but also strengthens control and security by centralizing identity under a single trusted point.
Do you want to optimize access management in your infrastructure? At Central Node, we have the experience and expertise to help you implement secure and efficient solutions. Contact us and take your network to the next level.
Tags: SAML, SSO, Zabbix, Authentik, Identity, Security, Infrastructure, IT, Networks, Authentication, JIT, Certificates, Linux, Proxy, Administration, Access, Identity Provider, Configuration, Troubleshooting, Central Node