Skip to main content
Version: 22.04

Configuring connection via OpenId Connect

Centreon is compatible with OAuth 2.0/OpenId Connect authentication.

Usage of Identity Providers (IdP) is available, such as Microsoft Azure AD, Okta, Keycloak, LemonLDAP::NG or other IdP which are compatible with the Authorization Code Flow.

Configure OpenID Connect authentication​

Go to Administration > Authentication > OpenID Connect Configuration:

image

Step 1: Enable authentication​

Enable OpenID Connect authentication:

  • Enable OpenId Connect authentication: enables or disables OpenId Connect authentication.
  • Authentication mode: indicates if the authentication should be done using only OpenId Connect or using local authentication as well (Mixed). In mixed mode, users created manually in Centreon (and not identified via Open ID) will also be able to log in.

When setting the parameters, it is recommended to activate the "mixed" mode. This will allow you to retain access to the local admin account in the event of a misconfiguration.

Step 2: Configure Identity Provider access credentials​

Configure Identity Provider information:

  • Base URL: defines the identity provider's base URL for OpenId Connect endpoints (mandatory).
  • Authorization Endpoint: defines the authorization endpoint, for example /authorize (mandatory).
  • Token Endpoint: defines the token endpoint, for example /token (mandatory).
  • Client ID: defines the Client ID.
  • Client Secret: defines the Client secret.
  • Scopes: defines the scopes of the identity provider, for example openid. Separate scopes by spaces.

    Depending on the identity provider, it is necessary to enter several scopes in order to retrieve the claim which will identify users. This is indicated in the provider's configuration documentation.

    • Login claim value: defines which of the variables returned by Introspection Token Endpoint or User Information Endpoint must be used to authenticate users. For example sub or email.
  • End Session Endpoint: defines the logout endpoint, for example /logout.

Depending on your identity provider, set either of the following two endpoints:

  • User Information Endpoint: defines the user information endpoint, for example /userinfo.
  • Introspection Token Endpoint: defines the introspection token endpoint, for example /introspect (mandatory).

You can also configure:

  • Use Basic Auth for Token Endpoint Authentication: the Authorization: Basic method will be used. Enable this option if your identity provider requires it.
  • Disable SSL verify peer: allows you to disable SSL peer validation. The identity provider's certificate will not be checked: use this option for test purposes only.

You can define a full URL for the endpoints in case the base of the URL is different from the others.

You can enable Authentication debug through the Administration > Parameters > Debug menu to understand authentication failures and improve your setup.

Step 3: Configure client addresses​

If you leave both fields blank, all IP addresses will be allowed to access the Centreon interface.

  • Trusted client addresses: If you enter IP addresses in this field, only these IP addresses will be allowed to access the Centreon interface. All other IP addresses will be blocked. IP addresses must be separated by commas.
  • Blacklist client addresses: These IP addresses will be blocked. All other IP addresses will be allowed to access the Centreon interface.

Step 4: Manage user creation​

image

If you turn on Enable Auto import users, users that log in to Centreon for the first time will be created in the Centreon configuration. (Turning the option on does not import automatically all users in your infrastructure.)

  • Enable auto import : enables or disables automatic users import. If auto import is disabled, you will have to create each user manually before they can log in.
  • Contact template : select a contact template that will be applied to newly imported users. This allows in particular to manage the default configuration of the notifications.
  • Email attribute : defines which of the variables returned by Introspection Token Endpoint or User Information Endpoint must be used to get the user's email address.
  • Fullname attribute : defines which of the variables returned by Introspection Token Endpoint or User Information Endpoint must be used to get the user's full name.

Step 5: Manage Authorizations​

image

Grant users rights by linking them to access groups:

  • Contact group: select a contact group to which users will be automatically added when they connect to the Centreon interface.
  • Authorization key: defines which of the variables returned by Introspection Token Endpoint or User Information Endpoint must be used to get the list of groups the user belongs to. When this parameter is not filled in, the default value groups will be applied.
  • Pair an Authorization value with a Centreon access group so that the user is granted the corresponding rights when connecting to the interface.

Each time the user logs in, authorization management is reinitialized to take into account information from the identity provider.

Step 6: Configure your Identity Provider (IdP)​

Configure your IdP to add the Centreon application to use the OpenID Connect protocol to authenticate your users, And to authorize the following redirect URI to forward your connecter users to Centreon:

{protocol}://{server}:{port}/centreon/authentication/providers/configurations/openid

Replace {protocol}, {server} and {port} by the URI to access to your Centreon server. For example: https://centreon.domain.net/centreon/authentication/providers/configurations/openid

Examples of configuration​

Here is an example configuration for Microsoft Azure Active Directory:

FieldsValues
Base Urlhttps://login.microsoftonline.com/${tenantId}/oauth2/v2.0
Authorization Endpoint/authorize
Token Endpoint/token
User Information Endpointhttps://graph.microsoft.com/oidc/userinfo
End Session Endpoint
Scopeopenid
Login claim valueemail
Client ID${clientId}
Client Secret${clientSecret}

Please replace ${tenantId}, ${clientId} and ${clientSecret} with your own values.