Some time has passed and there were a few things, which needed to be fixed:
- Legacy Web API URL
- Bakery URL for deploying agents
All in all, that’s my working config with AzureAd right now:
#Set this to the Name of your Checkmk site, e.g.# Define SITE mysite
Define SITE mysite
# ServerName from listen-ports.conf needs to be overwritten here
# and being set to the URL of the real server.
# auth_mellon uses this to generate the needed URLs in the metadata.
ServerName https://checkmk.mydomain.tld
# Load the module from the system's Apache/httpd location as we don't ship
# mod_auth_mellon within OMD yet.
<IfModule !mod_auth_mellon.c>
# Use this line on Debian based systems.
#LoadModule auth_mellon_module /usr/lib/apache2/modules/mod_auth_mellon.so
# Use this line on CentOS 7 / 8
LoadModule auth_mellon_module /omd/sites/${SITE}/lib/apache/modules/mod_auth_mellon.so
# When using CentOS 7 / 8 and in need of diagnostics install mod_auth_mellon-diagnostics package,
# and use the following statement.
#LoadModule auth_mellon_module /usr/lib64/httpd/modules/mod_auth_mellon-diagnostics.so
# Only enable this for debugging purposes
# MellonDiagnosticsFile /opt/omd/sites/${SITE}/tmp/mellon_diagnostics.log
# MellonDiagnosticsEnable On
<Location /${SITE}>
# Use SAML auth only in case there is no Check_MK authentication
# cookie provided by the user and whitelist also some other required URLs.
<If "! %{HTTP_COOKIE} =~ /auth_/ && \
! %{REQUEST_URI} = '/${SITE}/check_mk/register_agent.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/webapi.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/run_cron.py' && \
! %{REQUEST_URI} -strmatch '/${SITE}/check_mk/api/*' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/deploy_agent.py' && \
! %{QUERY_STRING} =~ /(_secret=|auth_|register_agent)/ && \
! %{REQUEST_URI} =~ m#^/${SITE}/(omd/|check_mk/(images/.*\.png|login\.py|.*\.(css|js)))# ">
RequestHeader unset X-Remote-User
MellonIdPMetadataFile /opt/omd/sites/${SITE}/etc/apache/mellon/idp-metadata.xml
# MellonIdPPublicKeyFile not needed, Azure AD includes the key in its metadata.xml
MellonSPCertFile /opt/omd/sites/${SITE}/etc/apache/mellon/idp.cert
MellonSPPrivateKeyFile /opt/omd/sites/${SITE}/etc/apache/mellon/idp.key
MellonEndpointPath "/${SITE}/mellon"
MellonDefaultLoginPath "/${SITE}/check_mk/"
Order allow,deny
Allow from all
AuthType Mellon
MellonEnable auth
require valid-user
# If your assertion offers the username for Check_MK in an attribute you can set it directly as the remote user (REMOTE_USER)
MellonUser "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
RequestHeader set X-Remote-User "%{MELLON_http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name}e" env=MELLON_http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
# When SAML auth fails, show the login page to the user. This should only happen,
# if e.g. the mellon cookie is lost/rejected or if the IDP is misconfigured.
# A failed login at the IDP will not return you here at all.
ErrorDocument 401 '<html> \
<meta http-equiv="refresh" content="1; URL=/${SITE}/check_mk/login.py"> \
<body>SAML authentication failed, redirecting to login page.</body></html>'
</If>
# This header is also needed after authentication (outside of the If clause)
RequestHeader set X-Remote-User "%{MELLON_http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name}e" env=MELLON_http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
</Location>