How to use SAML v2 to authenticate users in Centreon​

  • 16 August 2022
  • 0 replies

Userlevel 6
Badge +19

In this article we will implement authentication based on the SAMLv2 protocol to connect your users to the Centreon web interface. This authentication will be performed by the Apache web server and will use Centreon's Web SSO functionality.



Centreon does not manage the import of users via the Web SSO functionality. Users must therefore be previously declared in Centreon via the Configuration > Users > Contacts / Users menu.


In addition, Centreon must be accessible through HTTPS with a valid certificate and a DNS record.


This tutorial was made with the Centreon 22.04.x version, installed on the CentOS 7 operating system. The dependencies are PHP in version 8.0 and Apache in version 2.4 (httpd24-httpd).


Moreover, you must have access to the configuration of your identity provider to add a new application and configure it.


Configure the Apache web server


Install mod_auth_mellon Apache extension

yum install -y httpd24-mod_auth_mellon httpd24-mod_ssl openssl xmlsec1-openssl xmlsec1


Create a directory to store metadata

mkdir -p /opt/rh/httpd24/root/etc/httpd/saml2


Configure Apache to use SAMLv2 for authentication

Edit /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf file.


After the following lines:

Alias /centreon/api /usr/share/centreon

Alias /centreon /usr/share/centreon/www/



<Location />

    MellonEnable info

    MellonEndpointPath /mellon/

    MellonSPMetadataFile /opt/rh/httpd24/root/etc/httpd/saml2/mellon_metadata.xml

    MellonSPPrivateKeyFile /opt/rh/httpd24/root/etc/httpd/saml2/mellon.key

    MellonSPCertFile /opt/rh/httpd24/root/etc/httpd/saml2/mellon.crt

    MellonIdPMetadataFile /opt/rh/httpd24/root/etc/httpd/saml2/idp_metadata.xml

    MellonIdP <IDP ADDRESS>

    MellonMergeEnvVars On



Replace <IDP ADDRESS> by the endpoint to access to your IDP.

For example, if you will use Keycloak as IDP and Centreon_SSO as realm, you will have:

MellonIdP http://<IP>:8080/auth/realms/Centreon_SSO


Then add the following block:

<Location /centreon>

    AuthType Mellon

    MellonEnable auth

    Require valid-user



Configure metadata exchanges between Centreon and the identity provider

Configure Apache metadata

Execute following commands:

cd /tmp




file_prefix="$(echo "$mellon_entity_id" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')"

/opt/rh/httpd24/root/usr/libexec/mod_auth_mellon/ $mellon_entity_id $mellon_endpoint_url

mv ${file_prefix}.cert /opt/rh/httpd24/root/etc/httpd/saml2/mellon.crt

mv ${file_prefix}.key /opt/rh/httpd24/root/etc/httpd/saml2/mellon.key

mv ${file_prefix}.xml /opt/rh/httpd24/root/etc/httpd/saml2/mellon_metadata.xml


Configure Centreon on your IdP

Configure your Identity Provider to add the Mellon Service Provider (Centreon)


The XML metadata is located on the Centreon Server in this file: /opt/rh/httpd24/root/etc/httpd/saml2/mellon_metadata.xml


Then download your Identity Provider metadata and store it in the /opt/rh/httpd24/root/etc/httpd/saml2/idp_metadata.xml file on your Centreon server.


For example, from Keycloak IDP:

curl -k -o /opt/rh/httpd24/root/etc/httpd/saml2/idp_metadata.xml http://<IDP_IP>:<IDP_NAME>/auth/realms/<realm_name>/protocol/saml/descriptor


Configure Centreon

With an admin account, go to the Administration > Authentication menu and go to Define Web SSO Configuration tab:

  • Enable SSO authentication
  • Choose Mixed for Authentication mode
  • Define REMOTE_USER for Login header attribute name




Test your Apache configuration:

/opt/rh/httpd24/root/usr/sbin/apachectl -t


Then Restart Apache:

systemctl restart httpd24-httpd


You can now access to http(s)://<IP_CENTREON>/centreon and authenticate with your IDP.

0 replies

Be the first to reply!