How To Configure AzureAD with Centreon


Userlevel 3
Badge +4


In this article, we will describe how to configure AzureAD with Centreon.

AzureAD is one of the most common Identity Provider nowadays, and through OpenID Connect, you are able to connect to Centreon from your AD.

We will present you a little step by step tutorial to create an AzureAD application, configure it, and configure your Centreon OpenID Connect Authentication.

 

Configure your application in Azure AD

 

First of all go to your Azure portal. You should see a banner with a list of Azure application:

  • Click on Azure Active Directory.

 

  • On your main dashboard click on Enterprise applications
  • Then click on New Application. Provide all the informations to create your application.

 

For the purpose of this tutorial I have create a new application named "centreon-delegated-authentication"

On the main dashboard of your application, you will need 2 informations mandatory to configure AzureAD in Centreon.

1: Your Tenant ID
2: Your Client ID

We will see later when and how to use those IDs.

 

  • Click on Authentication on the left menu.
  • Click on the Add a Platform Button
  • Click on Web
  • To configure your Authentication you will need to provide a redirect uri.

 

The format should be <scheme>://<your_domain_name>/centreon/authentication/providers/configurations/openid

⚠️ If your Centreon platform is NOT on a localhost the scheme MUST BE https.

If your Centreon platform is not in HTTPS be sure to follow the documentation before going further in this tutorial
https://docs.centreon.com/docs/administration/secure-platform/#enable-https-on-the-web-server

  • On the menu "Implicit grant and hybrid flows" be sure to only chose ID Tokens.

Now our application is configured. We still need to create a secret key to be able to configure it in Centreon.

  • Click on Certificates & Secrets > Client secrets > New client secret
  • Be sure to copy the value (3) of your secret key as it will only available on creation. After, you'll not be able to see this value anymore.

 

Now login to Centreon and access to the new Menu Authentication > OPENID CONNECT CONFIGURATION.

Configure it as follow:

- Enable OpenID Connect authentication

- Authentication mode: as you wish

- Base URL : https://login.microsoftonline.com/<your_tenant_id>/oauth2/v2.0

- Authorization Endpoint: /authorize
- Token Endpoint: /token
- Client ID: <your_client_id>
- Client Secret: <your_client_secret>
- Scopes: openid offline_access (offline_access is not mandatory but highly recommended as this scopes will provide refresh token)
- login claim value: email
- User information endpoint: https://graph.microsoft.com/oidc/userinfo

Your configuration should look like this:

When you are sure all the informations are good, Save the form.

 

Centreon doesn't handle yet the auto import of user from AzureAD. You will need to create your users in Centreon before being able to connect.

Once your users are created when reaching the Login page you will see a new button Login with OpenID.

 

While clicking on it you'll be redirect to your Azure AD Authentication. If your authentication is successful and your user is create in Centreon, you will be logged in Centreon!

 

Congratulations \o/ !


21 replies

Badge +2

Bonjour,

On a finalement ouvert les flux entre le central et internet pouir être sur qu’aucun équipement réseau ne bloque.

J’atteins bien le système d’authentification microsoft. Login->password->envoi du code de vérif SMS→ puis j’obtiens l’erreur 

Détail des logs /var/log/centreon/centreon-web.log

[2023-05-15T08:34:28+0200] [DEBUG] [EventSubscriber\UpdateEventSubscriber:69]: Checking if route matches updates endpoint
[2023-05-15T08:34:28+0200] [INFO] [Core\Security\Authentication\Domain\Provider\OpenIdProvider:260]: Start authenticating user... {"provider":"openid"}
[2023-05-15T08:34:28+0200] [INFO] [Core\Security\Authentication\Domain\Provider\OpenIdProvider:437]: Send request to external provider for connection token...
[2023-05-15T08:34:28+0200] [ERROR] [Core\Security\Authentication\Domain\Provider\OpenIdProvider:819]: invalid status code return by external provider, [401] returned, [200] expected
[2023-05-15T08:34:29+0200] [DEBUG] [EventSubscriber\UpdateEventSubscriber:69]: Checking if route matches updates endpoint
[2023-05-15T08:34:29+0200] [DEBUG] [EventSubscriber\UpdateEventSubscriber:69]: Checking if route matches updates endpoint
[2023-05-15T08:34:29+0200] [INFO] [Core\Application\Platform\UseCase\FindInstallationStatus\FindInstallationStatus:47]: check installation status of centreon web
[2023-05-15T08:34:29+0200] [NOTICE] [Security\Domain\Authentication\AuthenticationService:69]: [AUTHENTICATION SERVICE] token not found
[2023-05-15T08:34:29+0200] [NOTICE] [Security\Domain\Authentication\AuthenticationService:69]: [AUTHENTICATION SERVICE] token not found
[2023-05-15T08:34:29+0200] [DEBUG] [Core\Security\Authentication\Infrastructure\Repository\DbWriteTokenRepository:61]: Deleting expired refresh tokens
[2023-05-15T08:34:29+0200] [DEBUG] [Core\Security\Authentication\Infrastructure\Repository\DbWriteTokenRepository:82]: Deleting expired tokens which are not linked to a refresh token
[2023-05-15T08:34:29+0200] [DEBUG] [EventSubscriber\UpdateEventSubscriber:69]: Checking if route matches updates endpoint
[2023-05-15T08:34:29+0200] [DEBUG] [EventSubscriber\UpdateEventSubscriber:69]: Checking if route matches updates endpoint

Badge +4

@samaga777 

Thank you, it’s done now, with add proxy in to the file.

 

Badge +2

Hello @Patrick 

I added the lines in the apache config file.

In my case, here: /etc/httpd/conf.d/10-centreon.conf

 

Regards,

Badge +4

 

Badge +4

@samaga777 Hello,

what file should be modified so that when connecting to Azure AD, centreon uses the proxy?

Thank you

Badge +2

Bonjour @samaga777,

on a débloqué la situation concernant le premier message d’erreur.

Nous rencontrons maintenant ton erreur idle timeout probablement en rapport aussi avec un proxy chez nous. On creuse de ce côté là avec nos tech réseau.

Merci

Badge +2

Le message d’erreur est du côté AzureAD et spécifie bien que l’URL n’est pas indiquée…. donc il faut vérifier que l’admin a bien ajouté l’adresse.

Les logs sont visibles dans l’interface AzureAD, mais je ne sais pas si cette erreur est loguée.

Pas d’ouverture de flux à faire à ma connaissance.

Badge +2

J’ai fourni l’url à l’admin AzureAD. Je penses qu’il l’a ajouté ou il faut.

Y a t-il un flux réseau à ouvrir? 

A quel endroit je peux observer les logs d’erreur (s’il y en a) ?

Badge +2

Bonjour,

Le message d’erreur indique qu’il n’y a pas d’adresse de redirection. L’avez-vous configurée dans AzureAD ?

 

 

Badge +2

Hello,

Thanks for your tutorial.

I followed all the steps, but I have an error when i click on connect with openID.

 

My configuration is :

i’ve create a user like this :

 

Badge +2

Ok, I found a better solution myself. 

I put the environment variables at apache level. Now it works without modifying centreon code.

 

Badge +2

@idinar I already tried that but I didn’t work for me, that’s why I had to change the code..

Badge +6
it's our in-house proxiesexport http_proxy="http://proxy-******:3128"export https_proxy="https://proxy-*******:3128"
 
Badge

thank you so much @samaga777, that has worked for me! 

Badge +2

@simonclarke2000  is your introspection token field empty ?

For me it only worked with userinfo url and leaving the introspect empty

 

Badge

im getting the following error when trying to login, any assistance is appreciated!
 

 

Badge +2

Hello, I found a way to make it work.

What I didn’t mention is that this server works behind a corporate proxy. The connection towards the “/token” endpoint is made by the webserver (I always thought that this connection was made by the end-user 🤔).

Problem is that even by adding proxy in “ui settings” or as an evironment variable ($http_proxy), proxy is ignored.

So I manually added the proxy as a CURL options directly in this file:

/usr/share/centreon/src/Core/Security/Authentication/Domain/Provider/OpenIdProvider.php

Now the token url is available and the oidc connection can happen 👍

If someone knows a “proper” method, I’m happy to learn

Badge +6

Hello @samaga777 

you have to try this url in Identity provider

https://login.microsoftonline.com/*****************************/oauth2/v2.0

 

 

 

Badge +2

Hello,

Thanks for your tutorial.

I followed all the steps, but I have an error after AzureAD login. It seems that token url is unreacheable (It isn’t when I type it in my browser)

Do you have any idea of where the issue may come from ?

kind regards

Userlevel 3
Badge +4

Hello, you have to go to Authentication Menu > Add a Platform > Then on the rightside panel you can click on Web, then here you will be able to configure your url redirect. 

According to your message your redirect uri is correctly formated on centreon side but doesn’t match the url redirect in your Azure AD application

Badge +6

Hello,

Thanks for the tutorial

question: where should we configure url redirect on centreon 22.04.7 please

because on the AZURE side, I have configured the same url that you shared

and I have the following error

  • To configure your Authentication you will need to provide a redirect uri.???

 

The format should be <scheme>://<your_domain_name>/centreon/authentication/providers/configurations/openid

 

Thanks in advance

Reply