Configuration¶
Provider configurations are stored in /etc/icingaweb2/modules/sso/providers.ini
and are managed through the Icinga Web frontend.
Adding a Provider¶
- Navigate to
Configuration → Modules → sso → Providers → New. - Fill in the required fields (see below).
- Click
Save. Icinga Web SSO will contact the provider’s discovery endpoint to validate connectivity first.
Provider Settings¶
Basic Settings¶
| Field | Description | Example |
|---|---|---|
| Name | Display name shown on the login button | GitLab |
| Base URL | URL of the OpenID Connect provider | https://git.icinga.com/.well-known/openid-configuration |
| Client ID | Generated by the OIDC provider | deadbeefc0decafecafec0debeefdead |
| Client Secret | Generated by the OIDC provider | gloas-cafec0debeefdeaddeadbeefc0decafe |
| OAuth Scopes | Space-separated; configure these in the OIDC provider! | openid profile offline_access groups |
| Redirect URL | Auto-filled; configure the same in the OIDC provider! | https://example.com/sso/oidc/redirection-endpoint |
| Username Field | Claim that holds the username | preferred_username |
| Map Groups | Import group memberships from the provider | yes/no |
| Groups Field | Claim that holds the list of groups | groups |
Claims are first read from the ID token. If a required claim is absent there, Icinga Web SSO automatically falls back to the provider’s userinfo endpoint.
Advanced Settings¶
| Field | Description | Example |
|---|---|---|
| Username Search Regex | PCRE regex to match against the upstream username | /^(.*)$/i |
| Username Search Replacement | Replacement string; back-references like ${1} are supported |
gitlab-user-${1} |
| Group Name Search Regex | PCRE regex to match against upstream group names | /^(.*)$/i |
| Group Name Search Replacement | Replacement string; back-references like ${1} are supported |
gitlab-group-${1} |
Security Notes¶
- Managing providers requires the
config/modulespermission. - Client secrets are stored in plain text in
/etc/icingaweb2/modules/sso/providers.ini. - Installing the
opensslextension is strongly recommended for better random values. - The module relies on HTTPS for transport security. Do not use HTTP providers in production!