Icinga sso

Icinga Web 2 Version 2.10.1
PHP Version 7.4.33

Is there any possibility/ Documentation available to add Single Sign On in icingaweb2 using ping ID as idp

Only by use of a webserver module and an external authentication backend.

will it work on mod_auth_openidc

I don’t know. The external auth backend of Icinga Web expects one of these env vars being set for incoming requests: REMOTE_USER, REDIRECT_REMOTE_USER

If this module sets them, it should work.

1 Like

I have a running sso installation with mod_auth_openidc.
Now I still have some problems to bypass sso and use the normal login with user and password for some special locally in icingaweb2 defined users and for api-calls. Maybe External auth and director api can help? Anyone has a good solution here? I have configured the apache webserver to not use sso for some users that use basic auth with an IF in the apache configuration, but I think, this is not really a good solution here and it only works for the api-calls and not in the browser.

hai Mdicss

how did you manage to configure the external authentication backend in icingaweb2 , # vim /etc/icingaweb2/authentication.ini

backend = external
Only change these settings or any other settings needs to consider

after adding like this i can see only system settings is visible no modules or configuration options available

Hi admin
Yes, you need an entry 'backend = “external” in /etc/icingaweb2/authentication.ini. You can configure this in the web-gui ‘Configuration → Application → Access Control Backends’.
Then, we have keycloak running in a kubernetes cluster which does the authentication with oidc against LDAP or AD.
We use an apache webserver for icingaweb2. You habe to install mod_auth_openidc for the apache. The mod_auth_openidc installs a configuration file /etc/httpd/conf.d/auth_openidc.conf. In this file, I had to set values for:

  • OIDCRedirectURI (I used the icingaweb2-Uri with /openid_callback appended)
  • OIDCCryptoPassphrase (comes from the configuration in keycloak)
  • OIDCResponseType id_token
  • OIDCClientID (I used the ID ‘icingaweb2’)

In the apache configuration in /etc/httpd/conf.d/icingaweb2.conf, I added the following lines inside the VirtualHost-part for icingaweb2:

   <Location />
    <IF "-z req('Authorization')">
        AuthType openid-connect
        Require valid-user

The IF-expression allows api-calls with basic auth as you cann’t use there sso.

This works fine, but I’m looking for a solution, to be able to still use only locally in icinga defined users not in LDAP or AD and so with no sso.

1 Like