website/integrations: Observium: cleanup

Agent-thread: https://sdko.org/internal/thr/ak/019ed1a8-afe4-7f92-868f-19bdd06c0fd3 A7k-product: product A7k-product-repo: 2 Co-authored-by: Agent <gptagent@svc.sdko.net>
2026-06-17 19:09:11 +03:00 · 2026-06-16 14:28:00 -04:00
parent 52674afa8a
commit e3cee102e5
1 changed files with 36 additions and 54 deletions
@@ -12,10 +12,6 @@ import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx";
 >
 > -- https://observium.org

-:::info
-This is based on authentik 2024.6.0 and Observium CE 24.4.13528
-:::
-
 ## Preparation

 The following placeholders are used in this guide:
@@ -27,18 +23,7 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::

-This guide assumes you already have a working Observium instance. It is recommended to install it with the install script, following the [instructions](https://docs.observium.org/) on Observium's website.
-
-Apache2 comes bundled with Observium, but there is also a third party module, [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc), which is needed for this configuration to work.
-Download the latest [release](https://github.com/OpenIDC/mod_auth_openidc/releases) of the project suitable for your machine.
-
-This guide uses `libapache2-mod-auth-openidc_2.4.15.7-1.bookworm_amd64.deb` as an example.
-
-Install the package:
-
-```bash
-apt install ./libapache2-mod-auth-openidc_2.4.15.7-1.bookworm_amd64.deb
-```
+This guide assumes that you already have a working Observium instance served by Apache HTTP Server with [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc) installed and enabled. Observium does not have a native OpenID Connect integration, so this guide uses mod_auth_openidc to authenticate users with authentik and pass them to Observium through Apache `REMOTE_USER` authentication.

 ## authentik configuration

@@ -50,66 +35,54 @@ To support the integration of Observium with authentik, you need to create an ap

 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
-
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Add a **Redirect URI** of type `Strict` `Authorization` as `https://observium.company/secure/redirect_uri`. Note that the Redirect URI can be anything, as long as it does not point to existing content.
-    - Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** value because it will be required later.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Note the **Client ID** and **Client Secret** values because they will be required later.
+        - Add a **Redirect URI** of type `Strict` `Authorization` as `https://observium.company/secure/redirect_uri`. Note that the Redirect URI can be anything, as long as it does not point to existing content.
+        - Select any available signing key.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.

 3. Click **Submit** to save the new application and provider.

 ## Observium configuration

-1. Edit the file `/etc/apache2/sites-available/000-default.conf` and add the following lines:
+1. Edit the Apache virtual host that serves Observium and add the following directives inside the `<VirtualHost>` block:

-    ```apacheconf
+    ```apacheconf title="/etc/apache2/sites-available/000-default.conf"
    <VirtualHost *:80>
-        ...
+        # Existing Observium configuration

-        OIDCProviderMetadataURL https://authentik.company/application/o/observium/.well-known/openid-configuration
-        OIDCClientID <Client ID>
-        OIDCClientSecret <Client Secret>
+        OIDCProviderMetadataURL https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration
+        OIDCClientID <Client ID from authentik>
+        OIDCClientSecret <Client Secret from authentik>
        OIDCRedirectURI https://observium.company/secure/redirect_uri
-        OIDCCryptoPassphrase <Random string for security>
-        OIDCCookieDomain observium.company
-        OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto
-        OIDCPathScope "openid email profile"
+        OIDCCryptoPassphrase <random string>
+        OIDCScope "openid email profile"
        OIDCRemoteUserClaim preferred_username ^(.*)$ $1@authentik

        <Location />
-        AuthType openid-connect
-        Require valid-user
+            AuthType openid-connect
+            Require valid-user
        </Location>
-
-        ...
    </VirtualHost>
    ```

-    Meaning of variables:
-    - `OIDCRedirectURI` is the same URI that is set for the authentik Provider.
-    - The `OIDCCryptoPassphrase` directive should be set to a random string, for more information, see [the official documentation](https://github.com/OpenIDC/mod_auth_openidc/blob/9c0909af71eb52283f4d3797e55d1efef64966f2/auth_openidc.conf#L15).
-    - `OIDCXForwardedHeaders` is necessary if your instance is behind a reverse proxy. If omitted, the module does not accept information from these headers.
-    - `OIDCRemoteUserClaim` tells the module how to construct a username based on your claims. The first argument selects the claim, while the second and third are RegEx search and replace expressions. [More info](https://github.com/OpenIDC/mod_auth_openidc/blob/9c0909af71eb52283f4d3797e55d1efef64966f2/auth_openidc.conf#L794)
+    If Observium is behind a reverse proxy that sends `X-Forwarded-*` headers, also configure `OIDCXForwardedHeaders` with every forwarded header that reaches Apache, for example:

-2. Edit the Observium configuration. By default, it should be located at `/opt/observium/config.php`.
+    ```apacheconf
+    OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Proto X-Forwarded-Port
+    ```

-    Edit the following line:
+2. Edit the Observium configuration:

-    ```php
+    ```php title="/opt/observium/config.php"
    $config['auth_mechanism'] = "remote";
-    ```
-
-    Add the following lines:
-
-    ```php
    $config['auth_remote_userlevel'] = 10;
-    $config['auth_remote_logout_url'] = "https://authentik.company/application/o/observium/end-session/";
+    $config['auth_remote_logout_url'] = "https://authentik.company/application/o/<application_slug>/end-session/";
    ```

-    With this method, you can only assign one permission level to all users. Since Observium permits only a single authentication mechanism to be selected, it is recommended to set `auth_remote_userlevel` to 10. You can read about all of the user levels [here](https://docs.observium.org/user_levels/).
+    With this method, Observium assigns the same permission level to all remotely authenticated users. The value `10` gives users administrator access. Choose the user level that fits your Observium access policy.

 3. Restart the Apache2 service:

@@ -117,4 +90,13 @@ To support the integration of Observium with authentik, you need to create an ap
    service apache2 restart
    ```

-    Now you should be able to log in to your Observium instance using authentik.
+## Configuration verification
+
+To confirm that authentik is properly configured with Observium, open Observium. You should be redirected to authentik and returned to Observium after a successful login.
+
+## Resources
+
+- [Observium - Authentication](https://docs.observium.org/authentication/)
+- [Observium - User Levels](https://docs.observium.org/user_levels/)
+- [mod_auth_openidc - How to Use It](https://github.com/OpenIDC/mod_auth_openidc#how-to-use-it)
+- [mod_auth_openidc - Configuration Options](https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf)