Skip to main content

Configuring connection via OpenId Connect

Centreon is compatible with OAuth 2.0/OpenId Connect authentication.

Usage of Identity Providers (IdP) is available, such as Microsoft Azure AD, Okta, Keycloak, LemonLDAP::NG or other IdP which are compatible with the Authorization Code Flow.

Authentication via OpenId Connect is configured on the Administration > Parameters > Centreon UI page, in the Authentication by OpenId Connect section.

  • Enable OpenId Connect authentication allows to enable or disable OpenId Connect authentication.
  • Authentication mode field indicates if the authentication should take place only by OpenId Connect or using local authentication as well (Mixed).
  • Trusted client addresses field indicates which are the IP/DNS of the trusted clients (corresponding to the reverse proxy). The trusted clients are separated by comas.
  • Blacklist client addresses field indicates which are the IP/DNS rejected.
  • Base Url field defines the IdP base URL for OpenId Connect endpoints (mandatory).
  • Authorization Endpoint field defines the authorization endpoint, for example /authorize (mandatory).
  • Token Endpoint field defines the token endpoint, for example /token(mandatory).
  • Introspection Token Endpoint field defines the introspection token endpoint, for example /introspect (mandatory).
  • User Information Endpoint field defines the user information endpoint, for example /userinfo.
  • End Session Endpoint field defines the logout endpoint, for example /logout.
  • Login claim value field defines the value returned from Introspection Token Endpoint or User Information Endpoint to authenticate the user. For example sub or email.
  • Scope field defines the scope of the IdP, for example openid. Separate scope by space.
  • Redirect Url field defines the redirect URL after login to access your Centreon server, for example https://192.168.0.1/centreon/index.php.
  • Client ID field defines the Client ID.
  • Client Secret field defines the Client secret.
  • Use Basic Auth for Token Endpoint Authentication field forces to use the Authorization: Basic method.
  • Disable SSL verify peer field allows to disable SSL peer validation, should only be used for tests.

image

Depending on the identity provider, it is necessary to enter several scopes in order to retrieve the claim which will identify the user. This is indicated in the provider's configuration documentation.

It is possible to define a full URL for the endpoints in case the base of the URL is different from the others.

It is possible not to specify the Redirect Url field. In this case, the Centreon server will send its own URL to the service provider.

If you want to automatically import users after connection, you can configure an LDAP server and enable auto import. Be sure that the "Login attribute" from your LDAP configuration will be identical to the "Login claim value".

You can enable Authentication debug through Administration > Parameters > Debug menu to understand authentication failures and improve your setup.

Examples of configuration​

Here is an example configuration for Microsoft Azure Active Directory:

FieldsValues
Base Urlhttps://login.microsoftonline.com/${tenantId}/oauth2/v2.0
Authorization Endpoint/authorize
Token Endpoint/token
Introspection Token Endpoint/introspect
User Information Endpointhttps://graph.microsoft.com/oidc/userinfo
End Session Endpoint
Scopeopenid
Login claim valueemail
Redirect Urlhttps://${ipCentreon}/centreon/index.php
Client ID${clientId}
Client Secret${clientSecret}

Please replace ${tenantId}, ${ipCentreon}, ${clientId} and ${clientSecret} with your own values.