Table of Contents

SAML Single Sign-On with Pandora FMS

SAML Single Sign-On with Pandora FMS

SAML is an XML-based open standard for authentication and authorization. Pandora FMS can work as a service provider with your internal SAML identity provider.

Administrators are always authenticated against the local database.

Configuring Pandora FMS

Go to ManagementSetupSetupAuthentication and select SAML under Authentication method.

saml5.jpg

Configuring the service provider

To configure the service provider, first download SimpleSamlphp and install it in /opt/simplesamlphp/.

Configure an endpoint to manage authentications in /simplesaml:

ln -s /opt/simplesamlphp/www /var/www/html/simplesaml

Add yous SP to authsources /opt/simplesamlphp/config/authsources.php>

'test-sp' => [
       'saml:SP',
       'entityID' => 'http://app.example.com',
       'idp' => 'http://172.16.0.3:8080/simplesaml/saml2/idp/metadata.php',
   ],

Register the IdP metadata:

$metadata['http://172.16.0.3:8080/simplesaml/saml2/idp/metadata.php'] = array(
       'name' => array(
           'en' => 'Test IdP',
       ),
       'description' => 'Test IdP',
       'SingleSignOnService' => 'http://172.16.0.3:8080/simplesaml/saml2/idp/SSOService.php',
       'SingleLogoutService' => 'http://172.16.0.3:8080/simplesaml/saml2/idp/SingleLogoutService.php',
       'certFingerprint' => '119b9e027959cdb7c662cfd075d9e2ef384e445f',
   );

It is recommended to use certification validation with direct certification instead of certFingerprint.

Make sure the file /opt/simplesamlphp/lib/_autoload.php existd.

Once simplesamlphp is installed, check whether the login works directly in saml. For that purpose, go to the following IP and select the authentication source.

http://<IP_ADDRESS>/simplesaml/module.php/core/authenticate.php

saml1.jpg

A login screen like the following will appear, where to enter the saml user and password you created.

saml2.jpg

If the login is correct, a summary screen with all user attributes will appear.

You also have this guide available: SimpleSAMLphp Service Provider QuickStart.

Configuring your identity provider

For SAML users to be correctly generated in Pandora FMS, it is necessary to define in each and every one of them the following identifying attributes that appear in SAML configuration:

saml3.jpg

http://<IP_ADDRESS>/simplesaml/module.php/core/authenticate.php

In case of using Simple attribute, two new fields called Profile attribute and Tag attribute will appear, where you may select the names of the SAML attributes that match the Profile and Tag name in Pandora FMS when created.

When selecting Multivalue attribute, use an attribute that follows this format:

<Attribute Name="MULTIVALUE_ATTRIBUTE">
<AttributeValue>PREFIX:role:rolename</AttributeValue>
<AttributeValue>PREFIX:tag:tagname</AttributeValue>
</Attribute>

Once this attribute is created in SAML and selected in such a way, together with Pandora FMS configuration, it will indicate the following parameters:

saml4.jpg

Logging in

Go to Pandora FMS Console and click Login. You will be redirected to your identity provider.

After a successful login, you will be redirected back to Pandora FMS Console.

Go back to Pandora FMS documentation index