cd ..
EN
Security
Centralizing Identity: SAML SSO with Zabbix 7.0 and Authentik
R
Rodolfo Echenique
Automated Translation: This article was originally written in Spanish and translated by Gemini AI.
As a Network Engineer at Central Node, I know that managing local users in multiple applications can be a headache and a security risk. Therefore, today we will break down how to implement Single Sign-On (SSO) for Zabbix 7.0 using Authentik as the Identity Provider (IdP), a robust solution that centralizes identity, simplifies management, and strengthens security.\n\n### 1. Configuration in Authentik\n\nFirst, we must prepare Authentik to provide the necessary information to Zabbix, especially user groups that facilitate automatic permission assignment.\n\n#### A. Create the Property Mapping for Groups\n\nThis mapping allows extracting and sending user groups in the SAML token.\n\n1. In Authentik, navigate to Customization → Property Mappings.\n2. Create a SAML Property Mapping with the following values:\n * Name: \n * SAML Attribute Name: \n3. For the Python expression, we use:\n\n\n\nThis ensures all user groups are correctly included.\n\n#### B. Create the SAML Provider\n\nIn Applications → Providers → Create, select SAML Provider and configure with these parameters:\n\n| Field | Value |\n| ------------------- | ------------------------------------------------------ |\n| Name | Zabbix Provider |\n| Issuer | authentik |\n| Binding | Post |\n| Audience | zabbix |\n| ACS URL | https://zabbix.tudominio.com/zabbix/index_sso.php?acs |\n| Signing Certificate | Select your certificate (e.g., authentik Self-signed) |\n\n#### C. Assign Property Mappings\n\nIn the Provider’s Property Mappings tab, activate:\n\n* ✓ \n* ✓ (key to avoid SQL errors in Zabbix)\n* ✓ \n* ✓ (created in step A)\n\n---\n\n### 2. Certificate Management in Zabbix\n\nZabbix 7.0 requires having the public certificate physically present on the server to validate SAML signatures. Key steps:\n\n1. Export the public certificate in PEM format from Authentik (Never the private key!).\n2. On the Zabbix server, create the directory and file for the certificate:\n\n\n\nPaste the certificate content, ensuring it starts with .\n\nFinally, adjust permissions so the web server can access it:\n\n\n\n---\n\n### 3. Configuration in Zabbix (The Client)\n\nAccess Users → Authentication → SAML settings from the Zabbix web interface to complete the integration.\n\n#### General Configuration\n\n| Field | Value |\n| ------------------ | ----------------------------------------------------------------------------- |\n| IdP entity ID | authentik |\n| SSO service URL | https://authentik.tudominio.com/application/saml/zabbix/sso/binding/redirect/ |\n| SLO service URL | https://authentik.tudominio.com/application/saml/zabbix/slo/binding/redirect/ |\n| Username attribute | http://schemas.goauthentik.io/2021/02/saml/username |\n| SP entity ID | zabbix |\n\n#### JIT (Just-In-Time) Configuration\n\n| Field | Value |\n| -------------------- | ------------------------------------------- |\n| Group name attribute | http://schemas.xmlsoap.org/claims/Group |\n| User name attribute | http://schemas.xmlsoap.org/claims/GivenName |\n| User last name attr. | http://schemas.xmlsoap.org/claims/Surname |\n\n##### User Group Mapping\n\n| SAML group pattern | User groups | User role |\n| ------------------ | --------------------- | ---------- |\n| * | Zabbix administrators | Admin role |\n\n---\n\n### ⚠️ Troubleshooting (Common Errors)\n\n#### \n\nCause: Zabbix cannot find the file.\n\nSolution: Verify the file is located at with permissions so the web server can read it.\n\n#### \n\nCause: JIT provisioning fails; missing first or last name in Authentik, or the mapping is not selected.\n\nSolution: Fill in the "First Name" and "Last Name" fields in Authentik and ensure the mapping is active.\n\n#### \n\nCause: Zabbix sends the URL via HTTP when Authentik requires HTTPS.\n\nSolution: In , add this configuration to use proxy headers and define the base URL with HTTPS:\n\n\n\n---\n\n### Visualization of the SAML SSO Architecture\n\nsequenceDiagram\nparticipant User\nparticipant Zabbix\nparticipant Authentik\nUser->>Zabbix: Access to web interface\nZabbix->>Authentik: Requests SAML authentication\nAuthentik-->>User: Login page\nUser->>Authentik: Credentials\nAuthentik-->>Zabbix: SAML token with attributes and groups\nZabbix->>User: Access granted (JIT provisioning)\n\nImplementing SSO with SAML and Authentik not only improves the user experience but strengthens control and security by centralizing identity under a single trusted point.\n\nDo you want to optimize access management in your infrastructure? At Central Node, we have the experience and knowledge to help you implement secure and efficient solutions. Contact us and take your network to the next level.\n\n---\n\nTags: SAML, SSO, Zabbix, Authentik, Identity, Security, Infrastructure, IT, Networks, Authentication, JIT, Certificates, Linux, Proxy, Administration, Access, Identity Provider, Configuration, Troubleshooting, Central Node
SAML Groupshttp://schemas.xmlsoap.org/claims/Group\nreturn [group.name for group in request.user.ak_groups.all()]\nauthentik default SAML Mapping: Usernameauthentik default SAML Mapping: Nameauthentik default SAML Mapping: EmailSAML Groups\nmkdir -p /usr/share/zabbix/conf/certs/\nnano /usr/share/zabbix/conf/certs/idp.crt\n-----BEGIN CERTIFICATE-----\nchown www-data:www-data /usr/share/zabbix/conf/certs/idp.crt\nchmod 644 /usr/share/zabbix/conf/certs/idp.crt\nError: idp_cert_or_fingerprint_not_foundidp.crt/usr/share/zabbix/conf/certs/idp.crt644Error SQL: INSERT INTO users (...) VALUES (...)authentik default SAML Mapping: NameError: ACS URL mismatch / Bad Request/etc/zabbix/web/zabbix.conf.php\n$SSO['SETTINGS'] = [\n 'use_proxy_headers' => true,\n 'baseurl' => 'https://zabbix.tudominio.com/zabbix'\n];\n