Skip to main content
Discussion ongoing

Enable fallback / recovery to local authentication when using OIDC / SAML authentication

Related products:Infra Monitoring - Administration
  • December 9, 2025
  • 4 replies
  • 12 views
J
Forum|alt.badge.img+2

It seems to me that if, for example, I configure OpenID Connect ONLY authentication I have no fallback to local authentication if one day OIDC auth was to fail for whatever reason. For sure “Mixed-mode” exists but that just encourages half of my team to skip the OIDC button and continue authenticating with their LDAP accounts / local accounts (which is what they did in the past) - old habits die hard and while the team SHOULD go through the OIDC flow, do MFA, sign on with our SSO system etc., they often just SEE the Centreon login page and use it - so Mixed mode is not really useful for us.

In the case of an OIDC / SAML failure (imagine after an upgrade of these systems, not impossible) could you not do provide an IP restricted URL that would provide local authentication fallback to the admins of Centreon that come from a certain restricted IP range, or potentially a configuration file that declares the auth type so that it could it temporarily changed until the OIDC problems are fixed.

Auth_type = “local_only | oidc_only | oidc_mixed | saml_only | saml_mixed” etc.

4 replies

rchauvel
Centreonian
Forum|alt.badge.img+18
  • rchauvel
  • Centreonian
  • December 12, 2025
NewDiscussion ongoing
A
Forum|alt.badge.img+11

I would say, why not have some automation or admin script on the server that would switch between the oicd only and mixed mode.

That way you can keep the oicd mode enabled, and if you face issue, you switch it back to mixed in an easy way, there is options on the API V2 to do that.

J
Forum|alt.badge.img+2
  • jward-ul2
  • Author
  • Steward *
  • December 15, 2025

I would say, why not have some automation or admin script on the server that would switch between the oicd only and mixed mode.

That way you can keep the oicd mode enabled, and if you face issue, you switch it back to mixed in an easy way, there is options on the API V2 to do that.

Thanks for your response, we don’t use the API but we might look into it. Do you have any documentation that points to this functionality in the API ?

At the same time, I still feel that a simple change of a config file and / or an IP protected URL for local admin access would be justified to get quickly back to working with Centreon as opposed to someone having to at that point of being locked out, have to engage with the complexity of an API. Remember this change is for emergency situations where access is no longer possible, hence API configuration wouldn’t be possible either I assume (especially if it wasn’t preconfigured in advance). I notice the issue multiple times in the forums too of people being locked out and the fairly extreme requirement of having to modify the Centreon database to get back in (a very risky method in all honesty). Backup methods to toggle the authentication types through a simple config file change are pretty standard in most other server based apps.

A
Forum|alt.badge.img+11

Thanks for your response, we don’t use the API but we might look into it. Do you have any documentation that points to this functionality in the API ?

 

For disaster recovery, backups are usually the solution and as you mention admins can always login into the database for emergency password resets or similar situations.


As for the API i would look in the API V2 endpoints https://docs-api.centreon.com/api/centreon-web/25.10/#tag/Administration/paths/~1administration~1authentication~1providers~1openid/put to update the configuration of openid and switch between mixed and forced.

Terms & ConditionsCookie settingsAccessibility statement