Luke Gripenberg – Senior Consultant
When it comes to ITRS OP5 Monitor, most users use either Active Directory or a local database for user authentication. But both these solutions have their limitations:
Local user authentication
- must be configured manually
- end up having lots of different passwords
- 2-factor authentication is not supported
- must be off-boarded
- end up typing their passwords into all kinds of different login dialogs
- 2-factor authentication requires third-party software
But what if your users are all in an in-cloud user database like Google or Okta or Azure AD? This is where ITRS OP5 Monitor’s Header Authentication comes in. It allows users to be authenticated using HTTP headers which are passed whenever pages are loaded. This means the sign-in process is completely transparent to the user. By combining this with a proxy server and an authentication system, you can get single-sign on implemented.
How do I configure this?
- nginx – This web server will work as a proxy server, making sure only authorized users can access ITRS OP5 Monitor using its auth_request module
- vouch-proxy – This tiny authentication server will authorize users, supports 13+ authentication sources
- docker (optional)- Used to provide a standardized environment for vouch-proxy which is easy to update
ITRS OP5 Monitor
Modify your /etc/op5/auth.yaml configuration file so that it includes the following lines:
You’ll then need to configure Apache to serve web pages on localhost, otherwise any user can merely pass the right headers to impersonate users.
echo -e ‘Listen 127.0.0.1:10080\nListen 127.0.0.1:10443 https’ > /etc/httpd/conf.d/ports.conf
Then restart Apache2.
nginx Proxy server
Modify your nginx configuration, see our example configuration file here.
Configure vouch-proxy and add your Google OIDC credentials:
# get credentials from https://console.developers.google.com/apis/credentials
After this you should be able to browse to https://op5.example.com/monitor/ and login with your Google credentials.
Should you need any assistance configuring SSO for your ITRS OP5 Monitor environment or support for group assignment, please don’t hesitate to contact us.
If you’d like more monitoring guides, make sure to follow us on LinkedIn.
About the author
Deep knowledge of Icinga,
op5 Monitor and Nagios.
Plugin developer and automation
engineer with focus on Ansible.