Skip to content

Configuration

Provider configurations are stored in /etc/icingaweb2/modules/sso/providers.ini and are managed through the Icinga Web frontend.

Adding a Provider

  1. Navigate to Configuration → Modules → sso → Providers → New.
  2. Fill in the required fields (see below).
  3. Click Save. Icinga Web SSO will contact the provider’s discovery endpoint to validate connectivity first.

Provider Settings

Basic Settings

Field Description Example
Name Display name shown on the login button GitLab
Base URL URL of the OpenID Connect provider https://git.icinga.com/.well-known/openid-configuration
Client ID Generated by the OIDC provider deadbeefc0decafecafec0debeefdead
Client Secret Generated by the OIDC provider gloas-cafec0debeefdeaddeadbeefc0decafe
OAuth Scopes Space-separated; configure these in the OIDC provider! openid profile offline_access groups
Redirect URL Auto-filled; configure the same in the OIDC provider! https://example.com/sso/oidc/redirection-endpoint
Username Field Claim that holds the username preferred_username
Map Groups Import group memberships from the provider yes/no
Groups Field Claim that holds the list of groups groups

Claims are first read from the ID token. If a required claim is absent there, Icinga Web SSO automatically falls back to the provider’s userinfo endpoint.

Advanced Settings

Field Description Example
Username Search Regex PCRE regex to match against the upstream username /^(.*)$/i
Username Search Replacement Replacement string; back-references like ${1} are supported gitlab-user-${1}
Group Name Search Regex PCRE regex to match against upstream group names /^(.*)$/i
Group Name Search Replacement Replacement string; back-references like ${1} are supported gitlab-group-${1}

Security Notes

  • Managing providers requires the config/modules permission.
  • Client secrets are stored in plain text in /etc/icingaweb2/modules/sso/providers.ini.
  • Installing the openssl extension is strongly recommended for better random values.
  • The module relies on HTTPS for transport security. Do not use HTTP providers in production!