[comment]: # translation:outdated

[comment]: # ({3a0ed9f2-3a0ed9f2})
# 3 Authentication

[comment]: # ({/3a0ed9f2-3a0ed9f2})

[comment]: # ({new-ea286503})
#### Overview

In *Administration → Authentication* the user authentication method to
Zabbix can be changed. The available methods are internal, LDAP and HTTP
authentication.

![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/authentication.png)

By default, internal Zabbix authentication is used. To change, click on
the button with the method name and press *Update*.

[comment]: # ({/new-ea286503})

[comment]: # ({2326e0aa-23d6b356})
##### Internal

Internal Zabbix authentication is used.

[comment]: # ({/2326e0aa-23d6b356})

[comment]: # ({b94890c8-e31f6ce6})
##### LDAP

External LDAP authentication can be used to check user names and
passwords. Note that a user must exist in Zabbix as well, however its
Zabbix password will not be used.

Zabbix LDAP authentication works at least with Microsoft Active
Directory and OpenLDAP.

![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/auth_ldap.png)

Configuration parameters:

|Parameter|Description|
|---------|-----------|
|*LDAP host*|Name of LDAP server. For example: ldap://ldap.zabbix.com<br>For secure LDAP server use *ldaps* protocol.<br>ldaps://ldap.zabbix.com<br>With OpenLDAP 2.x.x and later, a full LDAP URI of the form ldap://hostname:port or ldaps://hostname:port may be used.|
|*Port*|Port of LDAP server. Default is 389.<br>For secure LDAP connection port number is normally 636.<br>Not used when using full LDAP URIs.|
|*Base DN*|Base path to search accounts:<br>ou=Users,ou=system (for OpenLDAP),<br>DC=company,DC=com (for Microsoft Active Directory)|
|*Search attribute*|LDAP account attribute used for search:<br>uid (for OpenLDAP),<br>sAMAccountName (for Microsoft Active Directory)|
|*Bind DN*|LDAP account for binding and searching over the LDAP server, examples:<br>uid=ldap\_search,ou=system (for OpenLDAP),<br>CN=ldap\_search,OU=user\_group,DC=company,DC=com (for Microsoft Active Directory)<br><br>Required, anonymous binding is not supported.|
|*Bind password*|LDAP password of the account for binding and searching over the LDAP server.|
|*Test authentication*|Header of a section for testing|
|*Login*|Name of a test user (which is currently logged in the Zabbix frontend). This user name must exist in the LDAP server.<br>Zabbix will not activate LDAP authentication if it is unable to authenticate the test user.|
|*User password*|LDAP password of the test user.|

::: notewarning
In case of trouble with certificates, to make a
secure LDAP connection (ldaps) work you may need to add a
`TLS_REQCERT allow` line to the /etc/openldap/ldap.conf configuration
file. It may decrease the security of connection to the LDAP
catalog.
:::

::: notetip
It is recommended to create a separate LDAP account
(*Bind DN*) to perform binding and searching over the LDAP server with
minimal privileges in the LDAP instead of using real user accounts (used
for logging in the Zabbix frontend).\
Such an approach provides more security and does not require changing
the *Bind password* when the user changes his own password in the LDAP
server.\
In the table above it's *ldap\_search* account name.
:::

::: notetip
Some user groups can still be authenticated by Zabbix.
These groups must have [frontend
access](/fr/manual/config/users_and_usergroups/usergroup#configuration)
set to Internal.
:::

[comment]: # ({/b94890c8-e31f6ce6})

[comment]: # ({f7716e89-5257d20b})
##### HTTP

Apache-based (HTTP) authentication can be used to check user names and
passwords. Note that a user must exist in Zabbix as well, however its
Zabbix password will not be used.

::: noteimportant
Be careful! Make sure that Apache authentication
is configured and works properly before switching it on.
:::

::: noteclassic
In case of Apache authentication all users (even with
[frontend
access](/fr/manual/config/users_and_usergroups/usergroup#configuration)
set to Internal) will be authenticated by Apache, not by
Zabbix!
:::

[comment]: # ({/f7716e89-5257d20b})

[comment]: # ({6700a0b3-6700a0b3})
#### Setting up the identity provider

In order to work with Zabbix, a SAML identity provider
([onelogin.com](https://onelogin.com), [auth0.com](https://auth0.com),
[okta.com](https://okta.com), etc.) needs to be configured in the
following way:

-   *Assertion Consumer URL* should be set to
    `<path_to_zabbix_ui>/index_sso.php?acs`
-   *Single Logout URL* should be set to
    `<path_to_zabbix_ui>/index_sso.php?sls`

`<path_to_zabbix_ui>` examples: %% <https://example.com/zabbix/ui>,
<http://another.example.com/zabbix>,
<http://><any\_public\_ip\_address>/zabbix %%

[comment]: # ({/6700a0b3-6700a0b3})

[comment]: # ({2d0217ea-2d0217ea})
#### Setting up Zabbix

::: noteimportant
It is required to install php-openssl if you want
to use SAML authentication in the frontend.
:::

To use SAML authentication Zabbix should be configured in the following
way:

1\. Private key and certificate should be stored in the //
ui/conf/certs///, unless custom paths are provided in
[zabbix.conf.php](authentication#advanced_settings).

By default, Zabbix will look in the following locations:

-   ui/conf/certs/sp.key - SP private key file
-   ui/conf/certs/sp.crt - SP cert file
-   ui/conf/certs/idp.crt - IDP cert file

2\. All of the most important settings can be configured in the Zabbix
frontend. However, it is possible to specify additional settings in the
[configuration file](authentication#advanced_settings).

![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/auth_saml0.png)

Configuration parameters, available in the Zabbix frontend:

|Parameter|Description|
|---------|-----------|
|*Enable SAML authentication*|Mark the checkbox to enable SAML authentication.|
|*IDP entity ID*|The unique identifier of SAML identity provider.|
|*SSO service URL*|The URL users will be redirected to when logging in.|
|*SLO Service URL*|The URL users will be redirected to when logging out. If left empty, the SLO service will not be used.|
|// Username attribute//|SAML attribute to be used as a username when logging into Zabbix.<br>List of supported values is determined by the identity provider.<br><br>Examples:<br>uid<br>userprincipalname<br>samaccountname<br>username<br>userusername<br><urn:oid:0.9.2342.19200300.100.1.1><br><urn:oid:1.3.6.1.4.1.5923.1.1.1.13><br><urn:oid:0.9.2342.19200300.100.1.44>|
|*SP entity ID*|The unique identifier of SAML service provider.|
|*SP name ID format*|Defines which name identifier format should be used.<br><br>Examples:<br><urn:oasis:names:tc:SAML:2.0:nameid-format:persistent><br><urn:oasis:names:tc:SAML:2.0:nameid-format:transient><br><urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos><br><urn:oasis:names:tc:SAML:2.0:nameid-format:entity>|
|*Sign*|Mark the checkboxes to select entities for which SAML signature should be enabled:<br>*Messages*<br>*Assertions*<br>*AuthN requests*<br>*Logout requests*<br>*Logout responses*|
|*Encrypt*|Mark the checkboxes to select entities for which SAML encryption should be enabled:<br>*Assertions*<br>*Name ID*|
|*Case-sensitive login*|Mark the checkbox to enable case-sensitive login (disabled by default) for usernames.<br>E.g. disable case-sensitive login and log in with, for example, 'ADMIN' user even if the Zabbix user is 'Admin'.<br>*Note* that with case-sensitive login disabled the login will be denied if multiple users exist in Zabbix database with similar alias (e.g. Admin, admin).|

[comment]: # ({/2d0217ea-2d0217ea})

[comment]: # ({be372f8e-be372f8e})
##### Advanced settings

Additional SAML parameters can be configured in the Zabbix frontend
configuration file (*zabbix.conf.php*):

-   $SSO\['SP\_KEY'\] = '<path to the SP private key file>';
-   $SSO\['SP\_CERT'\] = '<path to the SP cert file>';
-   $SSO\['IDP\_CERT'\] = '<path to the IDP cert file>';
-   $SSO\['SETTINGS'\]

::: noteclassic
 Zabbix uses [OneLogin's SAML PHP
Toolkit](https://github.com/onelogin/php-saml/tree/3.4.1) library
(version 3.4.1). The structure of $SSO\['SETTINGS'\] section should be
similar to the structure used by the library. For the description of
configuration options, see official library
[documentation](https://github.com/onelogin/php-saml/tree/3.4.1/#user-content-settings).

:::

Only the following options can be set as part of $SSO\['SETTINGS'\]:

-   *strict*
-   *baseurl*
-   *compress*
-   *contactPerson*
-   *organization*
-   *sp* (only options specified in this list)
    -   *attributeConsumingService*
    -   *x509certNew*
-   *idp* (only options specified in this list)
    -   *singleLogoutService* (only one option)
        -   *responseUrl*
    -   *certFingerprint*
    -   *certFingerprintAlgorithm*
    -   *x509certMulti*
-   *security* (only options specified in this list)
    -   *signMetadata*
    -   *wantNameId*
    -   *requestedAuthnContext*
    -   *requestedAuthnContextComparison*
    -   *wantXMLValidation*
    -   *relaxDestinationValidation*
    -   *destinationStrictlyMatches*
    -   *rejectUnsolicitedResponsesWithInResponseTo*
    -   *signatureAlgorithm*
    -   *digestAlgorithm*
    -   *lowercaseUrlencoding*

All other options will be taken from the database and cannot be
overridden. The *debug* option will be ignored.

In addition, if Zabbix UI is behind a proxy or a load balancer, the
custom *use\_proxy\_headers* option can be used:

-   *false* (default) - ignore the option;
-   *true* - use X-Forwarded-\* HTTP headers for building the base URL.

**Configuration example:**

    $SSO['SETTINGS'] = [
        'security' => [
            'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
            'digestAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#sha384',
            // ...
        ],
        // ...
    ];

[comment]: # ({/be372f8e-be372f8e})