Opsview Monitor 6.5.4 and later supports the authentication of users via an OAuth2 provider, such as Okta or Azure AD.

## OAuth2 Provider Configuration Process

Prior to setting up Opsview Monitor, you need to have configured your OAuth2 provider and have the following details available:

  • Client ID

  • Client secret

  • OAuth2 URLs

To configure OAuth2 authentication:

  1. On the Opsview system, modify `/opt/opsview/deploy/etc/user_vars.yml` and add the following section, where items surrounded by <> should be replaced:

These values can be set as follows:

  • `realm_id` - an identifier for this login method as will be shown on the user configuration modal. Note: this ID should not be changed once in use for users, otherwise they will no longer be able to log in.

  • `client_id` - the client ID provided by the OAuth2 provider

  • `client_secret` - the client secret provided by the OAuth2 provider

  • `grant_uri` - the URL to which users should be redirected to sign in at the OAuth2 provider. Often located at /authorize

  • `token_uri` - the token URL for the third-party. Often located at /token

  • `label` - the user-friendly name for this service, which will be shown on the Login screen as “Login with <label>“

  • `scope` - the OAuth2 provider scopes that are granted when logging into the third party. Opsview simply needs access to view the user’s email address. With Okta, for example, the required scopes are openid and email

  1. Run the following to apply the configuration

## Add a User

Once the above steps have been completed, you will need to configure users to be able to log in via the OAuth2 provider.

Note: For each user, only one login mechanism can be provided

To add a user that can log in via an OAuth2 provider:

  1. Navigate to `Configuration -> Users and Roles`

  2. Click Add New

  3. Configure the user as specified in [Users](🔗), but with the following modifications:

  1. Click “Submit Changes”

## To Login

Having followed the above steps to add an OAuth2 provider, the login page will now show a button for logging into Opsview via the OAuth2 below. For example:


Example Opsview Monitor login page with OAuth2 enabled

To log in, simply click the button and enter your details with the OAuth2 provider if necessary.

# Example Configuration

## Okta

The below screenshot shows the Application view in Okta.


Example Okta configuration page

The URIs for use in the Opsview configuration are:

  • `grant_uri`: `https://<okta domain>/oauth2/v1/authorize`

  • `token_uri`: `https://<okta-domain>/oauth2/v1/token`

## Azure Active Directory

The below screenshot shows the Application Registration view in Azure Active Directory.


Example Azure Application page

The below screenshot shows the Client Credentials view in Azure Active Directory, which can be access through the Application Registration view above.


Example Azure Application Certificates page

The URIs for use in the Opsview configuration are:

  • `grant_uri`: `https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/authorize`

  • `token_uri`: `https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token`

The email address used for tying an Opsview user to an Azure user is the email address provided in the user’s “Contact Info”. The below screenshot shows the User Profile view in Azure Active Directory and the relevant email field to be used.


Example Azure user profile page

# Troubleshooting

If you are having problems with users logging in with OAuth2 providers then please check the configuration in the `user_vars.yml` carefully.

If the problems are with browser timeouts after clicking the “Log in with xxx”, then the `grant_uri` and `token_uri` parameters could be wrong, or there is a firewall preventing communication to your OAuth2 provider. You can check these by using curl or wget, although with the `token_uri` or `grant_uri` if the response hangs then you should first check the URI is correct. If you are confident it is correct, then check your firewall.