Multi-Factor Authentication (2FA/MFA) for Zabbix – SAML

Last updated on September 18, 2025

Overview

Zabbix 2FA allows you to add an extra layer of security to your Zabbix logins. This document explains how to enable Rublon Multi-Factor Authentication (MFA) for users who log in to Zabbix. Rublon integrates with Zabbix using the Rublon Access Gateway. This document describes all required steps.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	✔	N/A
Passcode	✔	N/A
SMS Passcode	✔	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	✔	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Demo Video

Before you start

• Ensure you have installed and fully configured Zabbix
• Install php-openssl
• Install and configure Rublon Access Gateway before configuring Zabbix to work with it. Read the Rublon Access Gateway documentation and follow the steps in the Installation and Configuration sections. Then, follow the Configuration section in this document.

Configuration

Follow these steps to enable Rublon 2FA on Zabbix.

Zabbix Server

1. From the Zabbix root web directory, go to conf/certs.

2. The conf/certs directory should contain the following files:

• sp.crt – Zabbix domain certificate
• sp.key– Zabbix domain private key
• idp.crt – a certificate you can download from Rublon Access Gateway (Applications → Information for configuring applications with Rublon Access Gateway → DOWNLOAD CERTIFICATE)

3. Ensure all three preceding files have the 644 permission.

To see if the file has the 644 permission, use the following command:

ls -alh

To set the 644 permission, use the following command:

chmod 644 <filename>

4. Go to the conf directory and open the zabbix.conf.php configuration file.

5. At the very end of the file, uncomment the lines for SAML.

Zabbix Frontend

1. Log in to the Zabbix admin panel.

2. In the left pane, select Administration → Authentication.

3. Select the SAML settings tab.

4. Check Enable SAML authentication and fill in the form. Refer to the following image and table.

IdP entity ID	Enter the value of Entity ID from Rublon Access Gateway (Applications → Information for configuring applications with Rublon Access Gateway).
SSO service URL	Enter the value of SSO URL from Rublon Access Gateway (Applications → Information for configuring applications with Rublon Access Gateway).
SLO service URL	Enter the value of Logout URL from Rublon Access Gateway (Applications → Information for configuring applications with Rublon Access Gateway).
Username attribute	The name of the parameter containing the username in the authentication source you use. For example, if you use Active Directory, enter cn.
SP entity ID	Enter the name of your domain or e.g., zabbix. Note that the SP entity ID you set here must  be the same as the Entity ID field in the Rublon Access Gateway later on during configuration.

5. Click Update to save your SAML settings.

Rublon Access Gateway

1. In Rublon Access Gateway, go to Applications → Add application.

2. Fill in the form and click SAVE to add a new application. Refer to the following image and table.

Application name	Enter a name for the application, e.g. Zabbix. This name will be displayed on the Rublon Prompt and Mobile Push authentication requests during Rublon 2FA.
Entity ID	Enter the name of your domain or e.g., zabbix. Note that the Entity ID you set here must be the same as the SP entity ID field in the Zabbix configuration.
Assertion Consumer Service	<path_to_zabbix_ui>/index_sso.php?acs Remember to replace <path_to_zabbix_ui> with your actual path, e.g., https://domain.com/zabbix/index_sso.php?acs
Single Logout Service	<path_to_zabbix_ui>/index_sso.php?sls Remember to replace <path_to_zabbix_ui> with your actual path, e.g., https://domain.com/zabbix/index_sso.php?sls
Relay State	Leave empty.
NameID format	Leave the default value. Zabbix does not support the NameID anyway.
NameID attribute	Leave empty.
Send Attributes	All attributes
Signature algorithm	sha-512
Validate AuthnRequest	Check.
Sign response	Check.
Sign assertion	Check.
Certificate for signing	Upload your Zabbix certificate (the sp.crt file from the conf/certs directory)
Certificate for encryption	Upload your Zabbix certificate (the sp.crt file from the conf/certs directory)
Map attributes	Leave empty.

3. Your configuration is complete. You can now test your Zabbix 2FA integration.

Test Your Zabbix Integration

It’s time to test your configuration.

1. Go to your Zabbix Domain and click Sign in with Single Sign-On (SAML) at the bottom of the login form.

2. Rublon will redirect you to the Rublon Access Gateway login page.

3. Provide your username and password. Click SIGN IN. A window will appear with various 2FA options from Rublon. Let’s choose Mobile Push.

4. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

5. You will be successfully logged in to Zabbix.

Test Your Zabbix Login via the Rublon SSO Portal

If your Rublon 2FA works correctly, we recommend you also test logging in to Zabbix via the Rublon SSO Portal. You must configure the SSO Portal before you test this scenario. Refer to the Rublon SSO Portal documentation for all required information.

1. Open the Rublon SSO Portal in your web browser. You will be redirected to a login page.

2. Provide your username and password, and click SIGN IN.

3. A window will appear with various 2FA options from Rublon. Let’s choose Mobile Push.

4. You will receive a push notification. Tap APPROVE.

5. You will be logged in to the Rublon SSO Portal.

6. Click the Zabbix application tile.

7. Rublon will ask you to select the second-factor authentication method. Let’s select Mobile Push again.

8. Receive a Mobile Push and tap APPROVE.

9. You will be successfully logged in to Zabbix.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Access Gateway

Rublon Access Gateway – Integrations