In this article we will implement authentication based on the SAMLv2 protocol to connect your users to the Centreon web interface. This authentication will be performed by the Apache web server and will use Centreon's Web SSO functionality.

Prerequisites
 

Centreon does not manage the import of users via the Web SSO functionality. Users must therefore be previously declared in Centreon via the Configuration > Users > Contacts / Users menu.

In addition, Centreon must be accessible through HTTPS with a valid certificate and a DNS record.

This tutorial was made with the Centreon 22.04.x version, installed on the CentOS 7 operating system. The dependencies are PHP in version 8.0 and Apache in version 2.4 (httpd24-httpd).

Moreover, you must have access to the configuration of your identity provider to add a new application and configure it.

Configure the Apache web server

Install mod_auth_mellon Apache extension

yum install -y httpd24-mod_auth_mellon httpd24-mod_ssl openssl xmlsec1-openssl xmlsec1

Create a directory to store metadata

mkdir -p /opt/rh/httpd24/root/etc/httpd/saml2

Configure Apache to use SAMLv2 for authentication

Edit /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf file.

After the following lines:

Alias /centreon/api /usr/share/centreon

Alias /centreon /usr/share/centreon/www/

Add:

<Location />

    MellonEnable info

    MellonEndpointPath /mellon/

    MellonSPMetadataFile /opt/rh/httpd24/root/etc/httpd/saml2/mellon_metadata.xml

    MellonSPPrivateKeyFile /opt/rh/httpd24/root/etc/httpd/saml2/mellon.key

    MellonSPCertFile /opt/rh/httpd24/root/etc/httpd/saml2/mellon.crt

    MellonIdPMetadataFile /opt/rh/httpd24/root/etc/httpd/saml2/idp_metadata.xml

    MellonIdP <IDP ADDRESS>

    MellonMergeEnvVars On

</Location>

Replace <IDP ADDRESS> by the endpoint to access to your IDP.

For example, if you will use Keycloak as IDP and Centreon_SSO as realm, you will have:

MellonIdP http://<IP>:8080/auth/realms/Centreon_SSO

Then add the following block:

<Location /centreon>

    AuthType Mellon

    MellonEnable auth

    Require valid-user

</Location>

Configure metadata exchanges between Centreon and the identity provider

Configure Apache metadata

Execute following commands:

cd /tmp

fqdn=`hostname`

mellon_endpoint_url="https://${fqdn}/mellon"

mellon_entity_id="${mellon_endpoint_url}/metadata"

file_prefix="$(echo "$mellon_entity_id" | sed 's/a^A-Za-z.]/_/g' | sed 's/__*/_/g')"



/opt/rh/httpd24/root/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh $mellon_entity_id $mellon_endpoint_url



mv ${file_prefix}.cert /opt/rh/httpd24/root/etc/httpd/saml2/mellon.crt

mv ${file_prefix}.key /opt/rh/httpd24/root/etc/httpd/saml2/mellon.key

mv ${file_prefix}.xml /opt/rh/httpd24/root/etc/httpd/saml2/mellon_metadata.xml

Configure Centreon on your IdP

Configure your Identity Provider to add the Mellon Service Provider (Centreon)

The XML metadata is located on the Centreon Server in this file: /opt/rh/httpd24/root/etc/httpd/saml2/mellon_metadata.xml

Then download your Identity Provider metadata and store it in the /opt/rh/httpd24/root/etc/httpd/saml2/idp_metadata.xml file on your Centreon server.

For example, from Keycloak IDP:

curl -k -o /opt/rh/httpd24/root/etc/httpd/saml2/idp_metadata.xml http://<IDP_IP>:<IDP_NAME>/auth/realms/<realm_name>/protocol/saml/descriptor

Configure Centreon
​​​​​​​

With an admin account, go to the Administration > Authentication menu and go to Define Web SSO Configuration tab:

• Enable SSO authentication
• Choose Mixed for Authentication mode
• Define REMOTE_USER for Login header attribute name

Test your Apache configuration:

/opt/rh/httpd24/root/usr/sbin/apachectl -t

Then Restart Apache:

systemctl restart httpd24-httpd

You can now access to http(s)://<IP_CENTREON>/centreon and authenticate with your IDP.