Skip to main content
Version: ⭐ 22.04

Configuring connection via OpenId Connect

Centreon is compatible with OAuth 2.0/OpenId Connect authentication.

Usage of Identity Providers (IdP) is available, such as Microsoft Azure AD, Okta, Keycloak, LemonLDAP::NG or other IdP which are compatible with the Authorization Code Flow.

Configure OpenID Connect authentication​

Go to Administration > Authentication > OpenID Connect Configuration:

image

Step 1: Enable authentication​

Enable OpenID Connect authentication:

  • Enable OpenId Connect authentication: enables or disables OpenId Connect authentication.
  • Authentication mode: indicates if the authentication should be done using only OpenId Connect or using local authentication as well (Mixed). In mixed mode, users created manually in Centreon (and not identified via Open ID) will also be able to log in.

When setting the parameters, it is recommended to activate the "mixed" mode. This will allow you to retain access to the local admin account in the event of a misconfiguration.

Step 2: Configure Identity Provider access credentials​

Configure Identity Provider information:

  • Base URL: defines the identity provider's base URL for OpenId Connect endpoints (mandatory).
  • Authorization Endpoint: defines the authorization endpoint, for example /authorize (mandatory).
  • Token Endpoint: defines the token endpoint, for example /token (mandatory).
  • Client ID: defines the Client ID.
  • Client Secret: defines the Client secret.
  • Scopes: defines the scopes of the identity provider, for example openid. Separate scopes by spaces.

    Depending on the identity provider, it is necessary to enter several scopes in order to retrieve the claim which will identify users. This is indicated in the provider's configuration documentation.

    • Login claim value: defines which of the variables returned by Introspection Token Endpoint or User Information Endpoint must be used to authenticate users. For example sub or email.
  • End Session Endpoint: defines the logout endpoint, for example /logout.

Depending on your identity provider, set either of the following two endpoints:

  • User Information Endpoint: defines the user information endpoint, for example /userinfo.
  • Introspection Token Endpoint: defines the introspection token endpoint, for example /introspect (mandatory).

You can also configure:

  • Use Basic Auth for Token Endpoint Authentication: the Authorization: Basic method will be used. Enable this option if your identity provider requires it.
  • Disable SSL verify peer: allows you to disable SSL peer validation. The identity provider's certificate will not be checked: use this option for test purposes only.

You can define a full URL for the endpoints in case the base of the URL is different from the others.

You can enable Authentication debug through the Administration > Parameters > Debug menu to understand authentication failures and improve your setup.

Step 3: Configure client addresses​

If you leave both fields blank, all IP adresses will be allowed to access the Centreon interface.

  • Trusted client addresses: If you enter IP addresses in this field, only these IP addresses will be allowed to access the Centreon interface. All other IP addresses will be blocked. IP addresses must be separated by commas.
  • Blacklist client addresses: These IP adresses will be blocked. All other IP addresses will be allowed to access the Centreon interface.

Step 4: Create users​

On page Configuration > Users > Contacts/Users, create the users that will log on to Centreon using OpenID and grant them rights using access groups.

Step 5: Configure your Identity Provider (IdP)​

Configure your IdP to add the Centreon application to use the OpenID Connect protocol to authenticate your users, And to authorize the following redirect URI to forward your connecter users to Centreon:

{protocol}://{server}:{port}/centreon/authentication/providers/configurations/openid

Replace {protocol}, {server} and {port} by the URI to access to your Centreon server. For example: https://centreon.domain.net/centreon/authentication/providers/configurations/openid

Examples of configuration​

Here is an example configuration for Microsoft Azure Active Directory:

FieldsValues
Base Urlhttps://login.microsoftonline.com/${tenantId}/oauth2/v2.0
Authorization Endpoint/authorize
Token Endpoint/token
User Information Endpointhttps://graph.microsoft.com/oidc/userinfo
End Session Endpoint
Scopeopenid
Login claim valueemail
Client ID${clientId}
Client Secret${clientSecret}

Please replace ${tenantId}, ${clientId} and ${clientSecret} with your own values.