ContextQMD
Back to Authentik

Integrate with Observium

website/integrations/monitoring/observium/index.md

latest5.4 KB
Original Source

What is Observium

Observium is a network monitoring and management platform that provides real-time insight into network health and performance.

-- https://observium.org

:::info This is based on authentik 2024.6.0 and Observium CE 24.4.13528 :::

Preparation

The following placeholders are used in this guide:

  • observium.company is the FQDN of the Observium installation.
  • authentik.company is the FQDN of the authentik installation.

:::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. :::

This guide assumes you already have a working Observium instance. It is recommended to install it with the install script, following the instructions on Observium's website.

Apache2 comes bundled with Observium, but there is also a third party module, mod_auth_openidc, which is needed for this configuration to work. Download the latest release of the project suitable for your machine.

This guide uses libapache2-mod-auth-openidc_2.4.15.7-1.bookworm_amd64.deb as an example.

Install the package:

bash
apt install ./libapache2-mod-auth-openidc_2.4.15.7-1.bookworm_amd64.deb

authentik configuration

To support the integration of Observium with authentik, you need to create an application/provider pair in authentik.

Create an application and provider in authentik

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
  • Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
  • Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
  • Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    • Note the Client ID, Client Secret, and slug values because they will be required later.
    • Set a Strict redirect URI to https://observium.company/secure/redirect_uri. Note that the Redirect URI can be anything, as long as it does not point to existing content.
    • Select any available signing key.
  • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.
  1. Click Submit to save the new application and provider.

Observium configuration

  1. Edit the file /etc/apache2/sites-available/000-default.conf and add the following lines:

    apacheconf
    <VirtualHost *:80>
    ...

    OIDCProviderMetadataURL https://authentik.company/application/o/observium/.well-known/openid-configuration
    OIDCClientID <Client ID>
    OIDCClientSecret <Client Secret>
    OIDCRedirectURI https://observium.company/secure/redirect_uri
    OIDCCryptoPassphrase <Random string for security>
    OIDCCookieDomain observium.company
    OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto
    OIDCPathScope "openid email profile"
    OIDCRemoteUserClaim preferred_username ^(.*)$ $1@authentik

    <Location />
    AuthType openid-connect
    Require valid-user
    </Location>

    ...
</VirtualHost>

    Meaning of variables:

    • OIDCRedirectURI is the same URI that is set for the authentik Provider.
    • The OIDCCryptoPassphrase directive should be set to a random string, for more information, see the official documentation.
    • OIDCXForwardedHeaders is necessary if your instance is behind a reverse proxy. If omitted, the module does not accept information from these headers.
    • OIDCRemoteUserClaim tells the module how to construct a username based on your claims. The first argument selects the claim, while the second and third are RegEx search and replace expressions. More info

  2. Edit the Observium configuration. By default, it should be located at /opt/observium/config.php.

    Edit the following line:

    php
    $config['auth_mechanism'] = "remote";

    Add the following lines:

    php
    $config['auth_remote_userlevel'] = 10;
$config['auth_remote_logout_url'] = "https://authentik.company/application/o/observium/end-session/";

    With this method, you can only assign one permission level to all users. Since Observium permits only a single authentication mechanism to be selected, it is recommended to set auth_remote_userlevel to 10. You can read about all of the user levels here.

  3. Restart the Apache2 service:

    bash
    service apache2 restart

    Now you should be able to log in to your Observium instance using authentik.