I just finished implementing SAML authentication on our main Checkmk but now I want to implement this on our distributed nodes as well. However, I can’t get it to work.
I have looked for settings under the Distributed monitoring tab. I thought in version 2.1.0 you had an option to sync all users with your distributed sites, but now I only see an option for “Sync with LDAP connections” and nothing for users in general or SAML connections. I also tried adding a dedicated SAML connection for the distributed site but this didn’t work either.
We have the following setup:
Checkmk Enterprise Edition v2.2.0p14 for our local and distributed sites
All three instances (one local, two distributed) run as Docker container
WATO is disabled on our distributed sites
Does anyone know whether this is possible or not? And what would happen if you enable WATO on the distributed sites? I assume changes won’t sync both ways?
Does anyone know whether this is possible or not? And what would happen if you enable WATO on the distributed sites? I assume changes won’t sync both ways?
Unfortunately, the SAML authentication has not been implemented for the Distributed setup yet like its there for LDAP connection (Setup >> General >> Distributed monitoring >> Configuration connnection >> Sync with LDAP connection) where you can sync users with different connection options. So, its not possible at the moment.
SAML does not allow for 1-to-many because of the trust-relation based on both metadata and certificates.
In my opinion the only way a 1-to-many trust/federative link can be achieved is via OIDC.
This is because the relationship compared to SAML is different, where OIDC is able to allow multiple responce-urls (redirect-uri’s).
In particular this part is usefull in Clustered or distrubuted setups,as its able to authenticate and receive information after on different nodes.
Aslong as the redirect-url/uri is registered with the IDP this shouds work for every node.
Not comparable as completely different product, but i use OIDC in a Proxmox Cluster and it has one set of ClientID / Secret which is distributed over all nodes, and on the IDP all redirect-uri’s ( per node) have been entered there, so whichever node does a request it will always receive information back to a/the correct redirect-uri.
Now for CMK, there is not yet ‘builtin’ support so it can not be configured/managed from within CMK (compared to SAML).
Plus SAML is only available on the CEE edition, whereas i use the RAW edition.
So to get around it i use an OIDC apache module to facilitate this.
As OIDC will be another protocoll that should be maintained and supported by our staff this will be not a solution for us.
Just to understand the problem: Why can’t there not be just an configuration option for every slave site where we can configure the SAML credentials for each slave site (Certificate, URL…) User creation should not be possible via slave sites and the permissions in check_mk for every user are alrady set using the master site.
Having SAML authentication only on the master site is boring and quite useless because we still have to use Kerberos or something like that additionally on the slave sites.
protocoll that should be maintained and supported by our staff this will be not a solution for us.