check-mk saml auth with entra-id as idp

[Hstrohi]

We are preparing the update from check_mk 2.2 to 2.3.

https://docs.checkmk.com/latest/en/update_major.html

One of the preparation steps is to get rid of the authentication with the apache mod_auth_mellon module and switch the built-in SAML authentication from check-mk. With version 2.3.0 mod_auth_mellon` is no longer delivered with the check-mk software. So this one is a must.

https://docs.checkmk.com/latest/en/saml.html#saml_cee

After setting that up like documented with entra-id as IdP the authentication works like a charme in the web frontend, but is not working anymore with nagstamon.
When accessing the web-ui there now is an extra button above the username/password fields which allows to chose "login with entra-id".

Any ideas on this one, is this something, that we have to address to the check-mk support, because the check_mk/login.py does not support this one already for the automated nagstamon calls? Or is that something that has to be added in the nagstamon framework?

Really appreciate your reply, because nagstamon is for us so important, that we paused our update plans and check-mk version 2.2 is running out of support in October.

[HenriWahl]

Hi @Hstrohi,
this is a good question. With latest Checkmk we also face the SAML-auth but delayed it for users of Nagstamon. Right now there is no code yet existing, but we need this feature too so there are chances that it will find its way into Nagstamon. If you have any resources to support this or some experimental code already this would help.

[Hstrohi]

Thank you for your quick response @HenriWahl ! Unfortunately we have not the coding skills to support you with code snippets, but if there is anything else we can do to support the development (like testing, provide logs, etc.) please let us know.

[HenriWahl]

@Hstrohi this is really going to be interesting.
Right now I am abroad, so I won't find time in the next 2 weeks. But maybe it is a good starting point to ask Checkmk support if they have any idea how this could be realized.

[realasmo]

Hello @HenriWahl, any hope for nagstamon to support Entra ID for Icinga?

[Hstrohi]

@HenriWahl just wanted to get back to you with an actual status. After weeks of waiting for feedback from our check-mk partner, the outcome is very poor. We were told that they discussed the problem with tribe29(check-mk creator) and the feedback ist that they see this one not as an urgent topic. Not very satisfying for all of us. Seems that we have a showstopper here and I really do not have a clue what step would be next. Any ideas?

[HenriWahl]

@Hstrohi this is bad news. Right now I did not find the time yet to look further. I plan to check this in autumn before our setup also moves to single-sign-on.

[HenriWahl]

@realasmo honestly the situation is even worse than with Checkmk because I neither have access to EntraID nor Icinga, so I can't tell. Maybe someone else finds a solution?

[HenriWahl]

Maybe #953 can help here but I was not able yet to fully check this.

[HenriWahl]

The easiest solution would be that Checkmk allows several ways of login in parallel.