Zabbix 7.4 + Keycloak (SAML 2.0): End-to-End Setup with JIT Provisioning

By /

This guide shows how to connect Zabbix 7.4 at https://zabbix.maksonlee.com to Keycloak at https://keycloak.maksonlee.com (realm maksonlee.com) using SAML 2.0. We’ll do the configuration in the Zabbix UI, add clean client-scope mappers in Keycloak, and enable Just-in-Time (JIT) provisioning so accounts are created automatically on first login as normal users.

What we’ll build

  • Sign-in to Zabbix via Keycloak (SAML 2.0).
  • JIT user creation: on first login, Zabbix creates a normal user and assigns role + groups.
  • Clean attribute delivery from Keycloak (username, email, and a multi-valued member for groups).
  • Optional hardening: sign Zabbix AuthnRequests and require client signatures in Keycloak.

Prerequisites

Default SAML certificate paths (Zabbix frontend)

Unless overridden in ui/conf/zabbix.conf.php, Zabbix looks here:

  • ui/conf/certs/sp.key — SP private key (used when Zabbix signs AuthN/Logout requests)
  • ui/conf/certs/sp.crt — SP certificate (public; import into Keycloak if you require client signatures)
  • ui/conf/certs/idp.crt — IdP certificate (Keycloak realm signing cert Zabbix uses to verify SAML assertions)

On Ubuntu/Debian, the UI root is usually /usr/share/zabbix/ui.

  1. Keycloak — create the SAML client

Clients → Create client

Settings:

  • Name ID format: transient
  • Sign Assertions: On
  • Force POST binding: Off

Advanced:

  • Logout Service Redirect Binding URL: https://zabbix.maksonlee.com/index_sso.php?sls
  1. Keycloak — add mappers via a dedicated client scope

Clients → zabbix → Client scopes

  • Create a scope (e.g. zabbix-dedicated) and assign it as Default to the zabbix client.
  • Inside that scope: Mappers → Add mapper — add these:

a) username

  • Mapper type: User Property
  • User Property: username
  • SAML Attribute Name: username
  • Include in assertions: On

b) email

  • Mapper type: User Property
  • User Property: email
  • SAML Attribute Name: email
  • Include in assertions: On

c) groups

  • Name: groups
  • Mapper type: Group list
  • Group attribute name: member

Client scopes → role_list → Mappers → role list

  • Single Role Attribute: On
  1. Zabbix — install the IdP signing certificate

Zabbix should verify Keycloak’s signed assertions with the realm’s signing cert.

  • In Keycloak: Realm settings → Keys → Active → (RS256) → copy the Certificate (X.509 public).
  • On the Zabbix host:
sudo tee /usr/share/zabbix/ui/conf/certs/idp.crt >/dev/null <<'CRT'
-----BEGIN CERTIFICATE-----
# paste Keycloak realm signing certificate here
-----END CERTIFICATE-----
CRT
sudo chown -R www-data:www-data /usr/share/zabbix/ui/conf/certs
sudo chmod 644 /usr/share/zabbix/ui/conf/certs/idp.crt
  1. Zabbix — configure SAML

In Administration → Users → Authentication (top tab), set a Deprovisioned users group when JIT is enabled.

  1. Sign Zabbix AuthnRequests

Create the SP keypair at the default locations:

sudo openssl req -x509 -newkey rsa:2048 -nodes \
  -keyout /usr/share/zabbix/ui/conf/certs/sp.key \
  -out   /usr/share/zabbix/ui/conf/certs/sp.crt \
  -days 3650 -subj "/CN=zabbix.maksonlee.com"

sudo chown www-data:www-data /usr/share/zabbix/ui/conf/certs/sp.key /usr/share/zabbix/ui/conf/certs/sp.crt
sudo chmod 640 /usr/share/zabbix/ui/conf/certs/sp.key
sudo chmod 644 /usr/share/zabbix/ui/conf/certs/sp.crt

Keycloak Clients → zabbix → Keys / Certificate: Import sp.crt

  1. Test SSO
  • Log out of Zabbix.
  • Visit https://zabbix.maksonlee.com and click Sign in with Single Sign-On (SAML)
  • Authenticate on https://keycloak.maksonlee.com.
  • On first login, Zabbix auto-creates the user with User role and your mapped group.
  • On later logins, the existing account is reused (JIT doesn’t “reset” users).

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top