I would like to implement a SSO authentication system in front of my future Icinga2 infrastructure.
After reading the documentation, it will be fine for the Icinga2 API. As the API is under /v1, I’ll whitelist this path in my SSO configuration so I can continue to use the ApiUser objects
But for Icinga Director, the documentation says: “Most URLs you can access with your browser will also act as valid REST url endpoints.”. And the authentication is based on user account of Icinga Web 2.
So I cannot whitelist the URLs of Director in my SSO configuration, because it will break the SSO for real user.
Is there any possibility to configure the Director API with a prefix?
Do not hesitate to request more details if my post is not obvious
As I was just building up a new environment I decided to have my master in my Azure environment. Thus I didn’t want to rely on LDAP and I digged around a little.
I found the following solution which really works sooo fine for me:
mod_auth_openidc for the Apache servicing icingaweb2
configuring icingaweb2 to use external authentication backend
Only downside: authentication groups…this is something that could not really be solved so far, but maybe this is something to be realized with director automation.
I finally have a workaround for this. So, I broke down the webserver into 2 components. One will be used for director api access. Primary for icingaweb2. Not super elegant but it works and is super easy to setup.