Icinga sso

linuxadmin · December 30, 2022, 12:14pm

Icinga Web 2 Version 2.10.1
PHP Version 7.4.33

Is there any possibility/ Documentation available to add Single Sign On in icingaweb2 using ping ID as idp

nilmerg · January 9, 2023, 9:25am

Only by use of a webserver module and an external authentication backend.

linuxadmin · January 12, 2023, 10:07am

will it work on mod_auth_openidc

nilmerg · January 12, 2023, 12:07pm

I don’t know. The external auth backend of Icinga Web expects one of these env vars being set for incoming requests: REMOTE_USER, REDIRECT_REMOTE_USER

If this module sets them, it should work.

mdicss · January 18, 2023, 3:28pm

I have a running sso installation with mod_auth_openidc.
Now I still have some problems to bypass sso and use the normal login with user and password for some special locally in icingaweb2 defined users and for api-calls. Maybe External auth and director api can help? Anyone has a good solution here? I have configured the apache webserver to not use sso for some users that use basic auth with an IF in the apache configuration, but I think, this is not really a good solution here and it only works for the api-calls and not in the browser.

linuxadmin · January 19, 2023, 1:17pm

hai Mdicss

how did you manage to configure the external authentication backend in icingaweb2 , # vim /etc/icingaweb2/authentication.ini

[autologin]
backend = external
Only change these settings or any other settings needs to consider

after adding like this i can see only system settings is visible no modules or configuration options available

mdicss · January 19, 2023, 4:09pm

Hi admin
Yes, you need an entry 'backend = “external” in /etc/icingaweb2/authentication.ini. You can configure this in the web-gui ‘Configuration → Application → Access Control Backends’.
Then, we have keycloak running in a kubernetes cluster which does the authentication with oidc against LDAP or AD.
We use an apache webserver for icingaweb2. You habe to install mod_auth_openidc for the apache. The mod_auth_openidc installs a configuration file /etc/httpd/conf.d/auth_openidc.conf. In this file, I had to set values for:

OIDCRedirectURI (I used the icingaweb2-Uri with /openid_callback appended)
OIDCCryptoPassphrase (comes from the configuration in keycloak)
OIDCResponseType id_token
OIDCClientID (I used the ID ‘icingaweb2’)

In the apache configuration in /etc/httpd/conf.d/icingaweb2.conf, I added the following lines inside the VirtualHost-part for icingaweb2:

   <Location />
    <IF "-z req('Authorization')">
        AuthType openid-connect
        Require valid-user
     </IF>
   </Location>

The IF-expression allows api-calls with basic auth as you cann’t use there sso.

This works fine, but I’m looking for a solution, to be able to still use only locally in icinga defined users not in LDAP or AD and so with no sso.