Dear All,
In our company policy, I have a bit of a stringent requirement. Currently, I've implemented SSO login to the Cacti so all our company members can log in with their Azure ID, but I also have some customers that want to access our Cacti and have local accounts.
The question is now. Is there a way to implement both local and SSO? Web Basic authentication is really limited to one.
Do you have any suggestions on how to implement it?
Perhaps there is some plugin or extension that can comply with this?
Some platforms support both ways, as shown in the attachment.
Additionally, is there any subject going on with a cacti that, in the future, will have better support for SAML/SSO?
Cacti SSO and Local Accounts
Moderators: Developers, Moderators
-
- Posts: 9
- Joined: Fri Oct 27, 2023 8:42 am
Cacti SSO and Local Accounts
- Attachments
-
- image (2).png (8.46 KiB) Viewed 1222 times
- TheWitness
- Developer
- Posts: 17047
- Joined: Tue May 14, 2002 5:08 pm
- Location: MI, USA
- Contact:
Re: Cacti SSO and Local Accounts
I've set this up with certain customers in Cacti 1.2.15+. You have to use the OpenIDT Apache plugin module + Cacti basic authentication. Sadly for me, I never captured the full instructions.
Cacti 1.3 will have MFA/TFA, or at least it's proto-typed for it right now.
Cacti 1.3 will have MFA/TFA, or at least it's proto-typed for it right now.
True understanding begins only when we realize how little we truly understand...
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
-
- Posts: 9
- Joined: Fri Oct 27, 2023 8:42 am
Re: Cacti SSO and Local Accounts
What I understand is "Cacti basic authentication" its the local one, right, or have you still referred to the Web Basic? If that is what I think then It could be a great solution until Cacti supports MFA/TFA.
Anyway thank you for your answer.
Anyway thank you for your answer.
- TheWitness
- Developer
- Posts: 17047
- Joined: Tue May 14, 2002 5:08 pm
- Location: MI, USA
- Contact:
Re: Cacti SSO and Local Accounts
It is not the local one. You have to be very careful converting to 'Web Basic' or 'Basic' authentication in Cacti. You fist have to ensure that the basic module is working, and then create a new 'admin' account with the username of the admin using Web Basic.
Then, you have to install and configure OpenIDT Apache Module. Once the OpenIDT is working, when you access Cacti's `index.php` you should be redirected to Azure to get a valid token. Azure will want to send a redirect back to Cacti, and that's where I forgot the procedure, the redirect needs to simply go to the page you pointed to.
Once you have that working, and before you 'switch' Cacti to using Web Basic, that redirect should take you back to the Cacti login page where you can login with your local credential.
Once you get an Azure token and can again login to local, you can simply switch Cacti to Web Basic authentication ensuring that the 'Template' account is good.
Before you switch, if the Azure ID's are the same as your existing 'local' accounts, you can simply Edit the accounts one at a time and switch them to Basic accounts to preserve all your users settings.
If you break things, the quick fix is to do the following:
That SQL command will put you back into Local Authentication.
I'm afraid until someone commits a How-To for OpenIDT to our Documentation GitHub page for services like Azure and others, you will have to feel your way though. However, what I can most certainly tell you is that it works. We just don't have the How-To published on https://docs.cacti.net.
Then, you have to install and configure OpenIDT Apache Module. Once the OpenIDT is working, when you access Cacti's `index.php` you should be redirected to Azure to get a valid token. Azure will want to send a redirect back to Cacti, and that's where I forgot the procedure, the redirect needs to simply go to the page you pointed to.
Once you have that working, and before you 'switch' Cacti to using Web Basic, that redirect should take you back to the Cacti login page where you can login with your local credential.
Once you get an Azure token and can again login to local, you can simply switch Cacti to Web Basic authentication ensuring that the 'Template' account is good.
Before you switch, if the Azure ID's are the same as your existing 'local' accounts, you can simply Edit the accounts one at a time and switch them to Basic accounts to preserve all your users settings.
If you break things, the quick fix is to do the following:
Code: Select all
UPDATE settings SET value='1' WHERE name='auth_method';
I'm afraid until someone commits a How-To for OpenIDT to our Documentation GitHub page for services like Azure and others, you will have to feel your way though. However, what I can most certainly tell you is that it works. We just don't have the How-To published on https://docs.cacti.net.
True understanding begins only when we realize how little we truly understand...
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Life is an adventure, let yours begin with Cacti!
Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages
For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
-
- Posts: 2
- Joined: Tue Nov 21, 2023 8:06 am
Re: Cacti SSO and Local Accounts
Set up a reverse proxy in front of Cacti and handle authentication at the proxy level. This way, you can configure different authentication methods for different paths. For example, you can use SSO for a specific path (e.g., /sso) and basic authentication for other paths. Develop or look for a custom authentication plugin or module for Cacti that supports SAML/SSO. Depending on your requirements, you might need to develop this in-house or explore community-contributed plugins.
Check the official Cacti forums, GitHub repository, or community discussions for any ongoing developments or feature requests related to SAML/SSO support. Sometimes, developers in the community contribute new features or plugins.
Check the official Cacti forums, GitHub repository, or community discussions for any ongoing developments or feature requests related to SAML/SSO support. Sometimes, developers in the community contribute new features or plugins.
Who is online
Users browsing this forum: No registered users and 3 guests