This article addresses a common issue that occurs when integrating Zabbix with Okta and Cloudflare Zero Trust. The problem arises when the custom domain setup in Okta is made after the Cloudflare Zero Trust integration. Consequently, Zabbix uses the custom domain Single Sign-On (SSO) URL, causing double authentication due to different session cookies. This issue can also occur in reverse order.
- Zabbix (SAML)
- Cloudflare Zero Trust (OIDC)
- Custom Domain
- Single Sign-On (SSO)
The issue stems from the discrepancy in session cookies. When authentication to Zero Trust is performed via the Okta Default and Zabbix uses the custom domain, two distinct session cookies are generated. However, both domains lead to the same Okta tenant.
To resolve this issue in Zabbix, follow these steps:
- Navigate to Administration/Users (this may vary depending on the Zabbix version).
- Select Authentication.
- Go to SAML Settings.
- In the SSO service URL, the domain must be adjusted according to the specific setup.
- If the SSO service URL follows this format:
https://your.custom-domain.com/app/.../sso/saml, replaceyour.custom-domain.comwithsubdomain.okta.com. - If the SSO service URL follows this format:
https://subdomain.okta.com/app/.../sso/saml, replacesubdomain.okta.comwithyour.custom-domain.com.
- If the SSO service URL follows this format:
By completing these steps, it should be possible to integrate Zabbix SSO with Okta and Cloudflare Zero Trust without the double authentication issue.
