[comment]: # ({cee0eb99-cee0eb99}) # 3 Authentication [comment]: # (tags: ldap, saml) [comment]: # ({/cee0eb99-cee0eb99}) [comment]: # ({9217fb1a-9217fb1a}) ### Overview The *Administration → Authentication* section allows to specify the global user authentication method to Zabbix and internal password requirements. The available methods are internal, HTTP, LDAP, and SAML authentication. [comment]: # ({/9217fb1a-9217fb1a}) [comment]: # ({0e754ffa-0e754ffa}) ### Default authentication By default, Zabbix uses internal Zabbix authentication for all users. It is possible to change the default method to [LDAP](#ldap_authentication) system-wide or enable LDAP authentication only for specific user groups. To set LDAP as default authentication method for all users, navigate to the *LDAP* tab and configure authentication parameters, then return to the *Authentication* tab and switch *Default authentication* selector to LDAP. Note that the authentication method can be fine-tuned on the [user group](/manual/config/users_and_usergroups/usergroup) level. Even if LDAP authentication is set globally, some user groups can still be authenticated by Zabbix. These groups must have [frontend access](/manual/config/users_and_usergroups/usergroup#configuration) set to Internal. Vice versa, if internal authentication is used globally, LDAP authentication details can be specified and used for specific user groups whose [frontend access](/manual/config/users_and_usergroups/usergroup#configuration) is set to LDAP. If a user is included into at least one user group with LDAP authentication, this user will not be able to use internal authentication method. [HTTP](#http_authentication) and [SAML 2.0](#saml_authentication) authentication methods can be used in addition to the default authentication method. [comment]: # ({/0e754ffa-0e754ffa}) [comment]: # ({72802abe-d3760aa9}) ### Internal authentication The *Authentication* tab allows defining custom password complexity requirements for internal Zabbix users. ![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/auth.png) The following password policy options can be configured: |Parameter|Description| |--|--------| |*Minimum password length*|By default, the minimum password length is set to 8. Supported range: 1-70. Note that passwords longer than 72 characters will be truncated.| |*Password must contain*|Mark one or several checkboxes to require usage of specified characters in a password:
-an uppercase and a lowercase Latin letter
-a digit
-a special character

Hover over the question mark to see a hint with the list of characters for each option.| |*Avoid easy-to-guess passwords*|If marked, a password will be checked against the following requirements:
- must not contain user's name, surname, or username
- must not be one of the common or context-specific passwords.

The list of common and context-specific passwords is generated automatically from the list of NCSC "Top 100k passwords", the list of SecLists "Top 1M passwords" and the list of Zabbix context-specific passwords. Internal users will not be allowed to set passwords included in this list as such passwords are considered weak due to their common use.| Changes in password complexity requirements will not affect existing user passwords, but if an existing user chooses to change a password, the new password will have to meet current requirements. A hint with the list of requirements will be displayed next to the *Password* field in the [user profile](/manual/web_interface/user_profile) and in the [user configuration form](/manual/config/users_and_usergroups/user) accessible from the *Administration→Users* menu. [comment]: # ({/72802abe-d3760aa9}) [comment]: # ({58c69118-096ce00b}) ### HTTP authentication HTTP or web server-based authentication (for example: Basic Authentication, NTLM/Kerberos) can be used to check user names and passwords. Note that a user must exist in Zabbix as well, however its Zabbix password will not be used. ::: noteimportant Be careful! Make sure that web server authentication is configured and works properly before switching it on. ::: ![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/auth_http.png){width="600"} Configuration parameters: |Parameter|Description| |--|--------| |*Enable HTTP authentication*|Mark the checkbox to enable HTTP authentication. Hovering the mouse over ![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/auth_http_2.png) will bring up a hint box warning that in the case of web server authentication, all users (even with [frontend access](/manual/config/users_and_usergroups/usergroup#configuration) set to LDAP/Internal) will be authenticated by the web server, not by Zabbix.| |*Default login form*|Specify whether to direct non-authenticated users to:
**Zabbix login form** - standard Zabbix login page.
**HTTP login form** - HTTP login page.
It is recommended to enable web-server based authentication for the `index_http.php` page only. If *Default login form* is set to 'HTTP login page' the user will be logged in automatically if web server authentication module will set valid user login in the `$_SERVER` variable.
Supported `$_SERVER` keys are `PHP_AUTH_USER`, `REMOTE_USER`, `AUTH_USER`.| |*Remove domain name*|A comma-delimited list of domain names that should be removed from the username.
E.g. `comp,any` - if username is 'Admin\@any', 'comp\\Admin', user will be logged in as 'Admin'; if username is 'notacompany\\Admin', login will be denied.| |*Case sensitive login*|Unmark the checkbox to disable case-sensitive login for usernames (enabled by default).
Disabling case-sensitive login allows, for example, to log in as "admin" even if the Zabbix user is "Admin" or "ADMIN".
Please note that if case-sensitive login is disabled and there are multiple Zabbix users with similar usernames (e.g., Admin and admin), the login for those users will always be denied with the following error message: "Authentication failed: supplied credentials are not unique."| ::: notetip For internal users who are unable to log in using HTTP credentials (with HTTP login form set as default) leading to the 401 error, you may want to add a `ErrorDocument 401 /index.php?form=default` line to basic authentication directives, which will redirect to the regular Zabbix login form. ::: [comment]: # ({/58c69118-096ce00b}) [comment]: # ({d3e3a386-b032eddc}) ### LDAP authentication External LDAP authentication can be used to check user names and passwords. Note that a user must exist in Zabbix as well, however its Zabbix password will not be used. Zabbix LDAP authentication works at least with Microsoft Active Directory and OpenLDAP. ![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/auth_ldap.png) Configuration parameters: |Parameter|Description| |--|--------| |*Enable LDAP authentication*|Mark the checkbox to enable LDAP authentication.| |*LDAP host*|Name of LDAP server. For example: ldap://ldap.zabbix.com
For secure LDAP server use *ldaps* protocol.
ldaps://ldap.zabbix.com
With OpenLDAP 2.x.x and later, a full LDAP URI of the form ldap://hostname:port or ldaps://hostname:port may be used.| |*Port*|Port of LDAP server. Default is 389.
For secure LDAP connection port number is normally 636.
Not used when using full LDAP URIs.| |*Base DN*|Base path to search accounts:
ou=Users,ou=system (for OpenLDAP),
DC=company,DC=com (for Microsoft Active Directory)| |*Search attribute*|LDAP account attribute used for search:
uid (for OpenLDAP),
sAMAccountName (for Microsoft Active Directory)| |*Bind DN*|LDAP account for binding and searching over the LDAP server, examples:
uid=ldap\_search,ou=system (for OpenLDAP),
CN=ldap\_search,OU=user\_group,DC=company,DC=com (for Microsoft Active Directory)
Anonymous binding is also supported. Note that anonymous binding potentially opens up domain configuration to unauthorized users (information about users, computers, servers, groups, services, etc.). For security reasons, disable anonymous binds on LDAP hosts and use authenticated access instead.| |*Case sensitive login*|Unmark the checkbox to disable case-sensitive login for usernames (enabled by default).
Disabling case-sensitive login allows, for example, to log in as "admin" even if the Zabbix user is "Admin" or "ADMIN".
Please note that if case-sensitive login is disabled and there are multiple Zabbix users with similar usernames (e.g., Admin and admin), the login for those users will always be denied with the following error message: "Authentication failed: supplied credentials are not unique."| |*Bind password*|LDAP password of the account for binding and searching over the LDAP server.| |*Test authentication*|Header of a section for testing| |*Login*|Name of a test user (which is currently logged in the Zabbix frontend). This user name must exist in the LDAP server.
Zabbix will not activate LDAP authentication if it is unable to authenticate the test user.| |*User password*|LDAP password of the test user.| ::: notewarning In case of trouble with certificates, to make a secure LDAP connection (ldaps) work you may need to add a `TLS_REQCERT allow` line to the /etc/openldap/ldap.conf configuration file. It may decrease the security of connection to the LDAP catalog. ::: ::: notetip It is recommended to create a separate LDAP account (*Bind DN*) to perform binding and searching over the LDAP server with minimal privileges in the LDAP instead of using real user accounts (used for logging in the Zabbix frontend).
Such an approach provides more security and does not require changing the *Bind password* when the user changes his own password in the LDAP server.
In the table above it's *ldap\_search* account name. ::: [comment]: # ({/d3e3a386-b032eddc}) [comment]: # ({cc7ae197-cc7ae197}) ### SAML authentication SAML 2.0 authentication can be used to sign in to Zabbix. Note that a user must exist in Zabbix, however, its Zabbix password will not be used. If authentication is successful, then Zabbix will match a local username with the username attribute returned by SAML. ::: noteclassic If SAML authentication is enabled, users will be able to choose between logging in locally or via SAML Single Sign-On. ::: [comment]: # ({/cc7ae197-cc7ae197}) [comment]: # ({2d356342-6700a0b3}) #### Setting up the identity provider In order to work with Zabbix, a SAML identity provider ([onelogin.com](https://onelogin.com), [auth0.com](https://auth0.com), [okta.com](https://okta.com), etc.) needs to be configured in the following way: - *Assertion Consumer URL* should be set to `/index_sso.php?acs` - *Single Logout URL* should be set to `/index_sso.php?sls` `` examples: `, , /zabbix` [comment]: # ({/2d356342-6700a0b3}) [comment]: # ({080e3f17-be70e1a1}) #### Setting up Zabbix ::: noteimportant It is required to install php-openssl if you want to use SAML authentication in the frontend. ::: To use SAML authentication Zabbix should be configured in the following way: 1\. Private key and certificate should be stored in the *ui/conf/certs*/, unless custom paths are provided in [zabbix.conf.php](authentication#advanced_settings). By default, Zabbix will look in the following locations: - ui/conf/certs/sp.key - SP private key file - ui/conf/certs/sp.crt - SP cert file - ui/conf/certs/idp.crt - IDP cert file 2\. All of the most important settings can be configured in the Zabbix frontend. However, it is possible to specify additional settings in the [configuration file](authentication#advanced_settings). ![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/auth_saml.png) Configuration parameters, available in the Zabbix frontend: |Parameter|Description| |--|--------| |*Enable SAML authentication*|Mark the checkbox to enable SAML authentication.| |*IDP entity ID*|The unique identifier of SAML identity provider.| |*SSO service URL*|The URL users will be redirected to when logging in.| |*SLO Service URL*|The URL users will be redirected to when logging out. If left empty, the SLO service will not be used.| |*Username attribute*|SAML attribute to be used as a username when logging into Zabbix.
List of supported values is determined by the identity provider.

Examples:
uid
userprincipalname
samaccountname
username
userusername


| |*SP entity ID*|The unique identifier of SAML service provider.| |*SP name ID format*|Request a particular name ID format in the response.

Examples:


| |*Sign*|Mark the checkboxes to select entities for which SAML signature should be enabled:
*Messages*
*Assertions*
*AuthN requests*
*Logout requests*
*Logout responses*| |*Encrypt*|Mark the checkboxes to select entities for which SAML encryption should be enabled:
*Assertions*
*Name ID*| |*Case sensitive login*|Unmark the checkbox to disable case-sensitive login for usernames (enabled by default).
Disabling case-sensitive login allows, for example, to log in as "admin" even if the Zabbix user is "Admin" or "ADMIN".
Please note that if case-sensitive login is disabled and there are multiple Zabbix users with similar usernames (e.g., Admin and admin), the login for those users will always be denied with the following error message: "Authentication failed: supplied credentials are not unique."| [comment]: # ({/080e3f17-be70e1a1}) [comment]: # ({19c49e31-be372f8e}) ##### Advanced settings Additional SAML parameters can be configured in the Zabbix frontend configuration file (*zabbix.conf.php*): - $SSO\['SP\_KEY'\] = ''; - $SSO\['SP\_CERT'\] = ''; - $SSO\['IDP\_CERT'\] = ''; - $SSO\['SETTINGS'\] ::: noteclassic The `$SSO['SETTINGS']` array must follow the same structure expected by the *SAML PHP Toolkit* library ([supplied](/manual/installation/requirements#frontend) with Zabbix). For a full description of available configuration options, refer to the official [library documentation](https://github.com/SAML-Toolkits/php-saml?tab=readme-ov-file#how-it-works). ::: Only the following options can be set as part of $SSO\['SETTINGS'\]: - *strict* - *baseurl* - *compress* - *contactPerson* - *organization* - *sp* (only options specified in this list) - *attributeConsumingService* - *x509certNew* - *idp* (only options specified in this list) - *singleLogoutService* (only one option) - *responseUrl* - *certFingerprint* - *certFingerprintAlgorithm* - *x509certMulti* - *security* (only options specified in this list) - *signMetadata* - *wantNameId* - *requestedAuthnContext* - *requestedAuthnContextComparison* - *wantXMLValidation* - *relaxDestinationValidation* - *destinationStrictlyMatches* - *rejectUnsolicitedResponsesWithInResponseTo* - *signatureAlgorithm* - *digestAlgorithm* - *lowercaseUrlencoding* All other options will be taken from the database and cannot be overridden. The *debug* option will be ignored. In addition, if Zabbix UI is behind a proxy or a load balancer, the custom *use\_proxy\_headers* option can be used: - *false* (default) - ignore the option; - *true* - use X-Forwarded-\* HTTP headers for building the base URL. If using a load balancer to connect to Zabbix instance, where the load balancer uses TLS/SSL and Zabbix does not, you must indicate 'baseurl', 'strict' and 'use_proxy_headers' parameters as follows: ```php $SSO['SETTINGS'] = [ 'strict' => false, 'baseurl' => 'https://zabbix.example.com/zabbix/', 'use_proxy_headers' => true ]; ``` **Configuration example:** ```php $SSO['SETTINGS'] = [ 'security' => [ 'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#sha384', // ... ], // ... ]; ``` [comment]: # ({/19c49e31-be372f8e}) [comment]: # ({32ef8a47-2e5c6dcf}) ##### Frontend configuration with Kerberos/ADFS The Zabbix frontend configuration file (*zabbix.conf.php*) can be used to configure SSO with Kerberos authentication and ADFS: ```php $SSO['SETTINGS'] = [ 'security' => [ 'requestedAuthnContext' => [ 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos', ], 'requestedAuthnContextComparison' => 'exact' ] ]; ``` In this case, in the SAML configuration *SP name ID* field set: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [comment]: # ({/32ef8a47-2e5c6dcf})