External auth how to set groups and roles?

Sim-sat · August 28, 2025, 10:48am

Hello,
I set up external auth using keycloak with our apache1 server and now want to be able to define groups or roles in icinga based on the claims of the token. I did not find any information at all if this is possible. We are using AD at the moment, but the plan is to switch to keycloak completely.
Thank you for your help

rivad · August 28, 2025, 11:17am

I suspect you mean Icingaweb2.

Contact groups are in icinga2 not icingaweb2.

IMHO roles don’t care, in which backend the user is mentioned in a group.

The question is now how to get the information from the token, that’s known to Apache into a Icingweb2 group backend?

Sim-sat · August 28, 2025, 11:31am

Yes I mean icingaweb2. I’m using mod_auth_openidc. Yes that is the question. I didnt find any examples or clues on how to do this.

rivad · August 28, 2025, 11:58am

Can mod_auth_openidc expose the ticket content via env vars to icingaweb2?
If not I would start there and if it does then a new group backend for icingaweb2 would be my next step.

Sim-sat · August 28, 2025, 1:03pm

Yes, it can. I will look into creating a new group backend. Are there any guides? I can’t be the only one trying to achieve this

rivad · August 29, 2025, 10:23am

Maybe there already exists a feature request in the icingweb2 project on GitHub.

I would have a look into the code of existing group backends and send in a pull request to get guidance from the Icinga developers.

moreamazingnick · August 29, 2025, 10:59am

you can use this icingaweb2 module:

It requests the groups from the user after login the groups can be used in the icingaweb2 backend

Sim-sat · August 29, 2025, 11:13am

That looks really promising. I’m gonna try it and report back to you how IT went.

Sim-sat · August 30, 2025, 9:53am

I added the module and log in is working. The groups are getting created and I see them when I select the oidc backend. My user also has these roles. Roles are not working though. I created a new role with admin privileges and added the default oidc group. But that doesn’t work. I put the oidc backend at the top of every config file.
This is the error I’m getting:


[Sat Aug 30 12:06:13.021512 2025] [php:notice] [pid 463093:tid 463093] [client 10.185.196.99:62272] icingaweb2: ERROR - Icinga\\Exception\\ConfigurationError in /usr/share/php/Icinga/Authentication/AuthChain.php:249 with message: Can't create authentication backend "openid". An exception was thrown: <- Icinga\\Exception\\ConfigurationError in /usr/share/php/Icinga/Authentication/User/UserBackend.php:211 with message: Authentication configuration for user backend "openid" defines an invalid backend type. Backend type "oidc" is not supported
[Sat Aug 30 12:06:13.446067 2025] [php:notice] [pid 463093:tid 463093] [client 10.185.196.99:62272] icingaweb2: DEBUG - No groups found in backend "openid" which the user "xxx" is a member of.

Sim-sat · August 30, 2025, 10:34am

I got it working now. The problem was the default login domain. It needs to be empty. I hope this helps someone else.