问题描述
我正在尝试使用keycloak-proxy将Zabbix UI与Keycloak SSO集成在一起.我的设置如下:
I'm try to integrate Zabbix UI with Keycloak SSO, using keycloak-proxy.My setup is the following:
- Nginx是入口点:它处理虚拟主机",将请求转发到keycloak-proxy.
- Keyclock-proxy已配置有client_id,client_secret等,以向Keycloak验证用户身份;
- Apache上的Zabbix仪表板,默认设置:我启用HTTP身份验证.
我已经在Keycloak和Zabbix中创建了一个测试用户.身份验证流程还可以:我已重定向到KeyCloak,我进行了身份验证,但始终收到登录名或密码错误"的信息.通过Zabbix UI.
I've created a test user both in Keycloak and Zabbix.The authentication flow is ok: I'm redirected to KeyCloak, I do the authentication, but I always get "Login name or password is incorrect." from Zabbix UI.
我做错了什么?有没有人尝试将OIDC身份验证与Zabbix一起使用?
What am I doing wrong?Has anyone tried to use OIDC authentication with Zabbix?
我正在使用Zabbix 4.0,KeyCloak 4.4,Keycloak-proxy 2.3.0.
I' using Zabbix 4.0, KeyCloak 4.4, Keycloak-proxy 2.3.0.
keycloak-proxy配置:
keycloak-proxy configuration:
client-id: zabbix-client
client-secret: <secret>
discovery-url: http://keycloak.my.domain:8080/auth/realms/myrealm
enable-default-deny: true
enable-logout-redirect: true
enable-logging: true
encryption_key: <secret>
listen: 127.0.0.1:10080
redirection-url: http://testbed-zabbix.my.domain
upstream-url: http://a.b.c.d:80/zabbix
secure-cookie: false
enable-authorization-header: true
resources:
- uri: /*
roles:
- zabbix
推荐答案
Zabbix希望PHP_AUTH_USER
(或REMOTE_USER
或AUTH_USER
)标头带有用户名,但keycloak-proxy不提供它.让我们使用电子邮件作为用户名(理论上您可以使用访问令牌中的任何声明).将电子邮件添加到keycloak-proxy配置中的请求标头中:
Zabbix expects PHP_AUTH_USER
(or REMOTE_USER
or AUTH_USER
) header with the username, but keycloak-proxy doesn't provide it. Let's use email as a username (you can use any claim from the access token in theory). Add email to the request header in the keycloak-proxy config:
add-claims:
- email
并在Zabbix Apache配置中的电子邮件标头中创建PHP_AUTH_USER
变量:
And create PHP_AUTH_USER
variable from email header in the Zabbix Apache config:
SetEnvIfNoCase X-Auth-Email "(.*)" PHP_AUTH_USER=$1
注意:Conf语法可能不正确,因为它不在我的脑海中-可能需要一些调整.
Note: Conf syntax can be incorrect because it is off the top of my head - it may need some tweaks.
顺便说一句:有一个(hackish)用户补丁可用- https://support.zabbix .com/browse/ZBXNEXT-4640 ,但keycloak-gatekeeper是更好的解决方案
BTW: there is a (hackish) user patch available - https://support.zabbix.com/browse/ZBXNEXT-4640, but keycloak-gatekeeper is a better solution
记录:keycloak-proxy = keycloak-gatekeeper(该项目已重命名并最近迁移到keycloak org)
For the record: keycloak-proxy = keycloak-gatekeeper (the project was renamed and migrated to keycloak org recently)
这篇关于使用Keycloak-proxy的Zabbix HTTP身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!