Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

opsdis/icinga-adfs

Repository files navigation

icinga-adfs

External authentication backend for Icinga that uses SAML (ADFS)

Requirements: mod_auth_mellon

Installation:

Guide assumes Debian-based Linux

  1. Compile and install mod_auth_mellon package (https://github.com/Uninett/mod_auth_mellon/releases/tag/v0.14.2)

  2. Create metadata for Icinga ServiceProvider with mellon_create_metadata.sh (https://icinga2.example.com/icinga2 is the SP IdentityID and full URL to MellonEndpointPath is used for https://icinga2.example.com/mellon):

wget https://raw.githubusercontent.com/Uninett/mod_auth_mellon/master/mellon_create_metadata.sh

chmod +x mellon_create_metadata.sh

./mellon_create_metadata.sh https://icinga2.example.com/icinga2 https://icinga2.example.com/mellon

  1. ADFS: Add following to SP metadata xml before the </SPSSODescriptor> tag

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

  1. Adjust parameters in index.php, adfs.conf

  2. Place authentication.ini in /etc/icingaweb2/

cp authentication.ini /etc/icingaweb2/

  1. Place index.php in /var/www/html/login:

mkdir /var/www/html/login/ /var/www/html/locallogin/

cp index.php /var/www/html/login/index.php

cp locallogin.php /var/www/html/locallogin/index.php

  1. Place adfs.conf in /etc/apache2/sites-enabled/

cp adfs.conf /etc/apache2/sites-enabled/

  1. Edit index.php and change group id that admins will be assigned to and database credentials under $mapping.

  2. ADFS: Establish Relying Party Trust in ADFS

Add http://schemas_microsoft_com/ws/2008/06/identity/claims/role claim

Add a 'Transform an Incoming Claim' that transforms 'UPN' into 'Name ID' in a 'Transient Identifier' Name ID format

  1. Exchange metadata with SAML (ADFS) Generated xml from mellon_create_metadata.sh to IdP and FederationMetadata.xml from IdP to you.

ADFS metadata path example: https://fs.example.com/federationmetadata/2007-06/FederationMetadata.xml

  1. Place IdP metadata (obtained from ADFS) in /etc/apache2/mellon/idp-metadata.xml

  2. Test Apache config:

apachectl configtest

  1. Restart Apache after successful test

systemctl restart apache2

Additional steps:

Create local users: sudo htpasswd -c /etc/icingaweb2/.http-users icingaadmin: https://icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#example-configuration-for-apache-and-basic-authentication

Reference: https://www.techsupportpk.com/2018/05/single-sign-on-apache-windows-adfs-rhel-centos.html

About

External authentication wrapper for Icingaweb2 that uses ADFS/SAML

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

AltStyle によって変換されたページ (->オリジナル) /