Add support for SAML authentication with distributed sites
Comments: 4
-
04 Jan
Pat MergedI just finished implementing SAML authentication on our main Checkmk but now I want to implement this on our distributed nodes/sites as well. However, I can’t get it to work.
Unfortunately, the SAML authentication has not been implemented for the Distributed setup yet. It's there for LDAP connections (Setup >> General >> Distributed monitoring >> Configuration connnection >> Sync with LDAP connection) where you can sync users with different connection options. So, its not possible at the moment.
(vgl. https://forum.checkmk.com/t/saml-authentication-distributed-monitoring/42839 )
In conclusion:
- at the moment SAML authentication is only possible on the master site
- User sync for SAML connections has not been implemented yet
Thus:
- SAML authentication on distributed sites and User sync with SAML connections must be added -
19 Jan
Niklas Pulina Admin"SAML sync and auth distributed sites" (suggested by <Hidden> on 2024-01-04), including upvotes (1) and comments (0), was merged into this suggestion.
-
05 Feb
Michael HonkoopSAML does not have a functionality to have a trust with an an IDP and multiple SP's, as its based on an EntityID and its certificates, which will be different for each distrubuted node.
OpenID-Connect can handle this, as it has support for one set of credentials (Client-ID/Client-secret) combined with multiple redirect-Uri's.
Therefore i would like to opt for implementation of the OpenID-Connect way of federating instead of going down the SAML-road.
- Glowsome -
26 Apr
MiwuAs OIDC will be another :roll_eyes: protocoll that should be maintained and supported by our staff this will be not a solution for us.
Just to understand the problem: Why can't there not be just an configuration option for every slave site where we can configure the SAML credentials for each slave site (Certificate, URL....) User creation should not be possible via slave sites and the permissions in check_mk for every user are alrady set using the master site.
Having SAML authentication only on the master site is boring and quite useless because we still have to use Kerberos or something like that additionally on the slave sites.