diff --git a/application/controllers/AuthenticationController.php b/application/controllers/AuthenticationController.php
index 2215c0bbf..3e8843722 100644
--- a/application/controllers/AuthenticationController.php
+++ b/application/controllers/AuthenticationController.php
@@ -3,6 +3,7 @@
 
 namespace Icinga\Controllers;
 
+use Icinga\Application\Hook\AuthenticationHook;
 use Icinga\Application\Icinga;
 use Icinga\Forms\Authentication\LoginForm;
 use Icinga\Web\Controller;
@@ -35,6 +36,9 @@ class AuthenticationController extends Controller
         }
         $form = new LoginForm();
         if ($this->Auth()->isAuthenticated()) {
+            // Call provided AuthenticationHook(s) when login action is called
+            // but icinga web user is already authenticated
+            AuthenticationHook::triggerLogin($this->Auth()->getUser());
             $this->redirectNow($form->getRedirectUrl());
         }
         if (! $requiresSetup) {
@@ -66,6 +70,8 @@ class AuthenticationController extends Controller
         // Get info whether the user is externally authenticated before removing authorization which destroys the
         // session and the user object
         $isExternalUser = $auth->getUser()->isExternalUser();
+        // Call provided AuthenticationHook(s) when logout action is called
+        AuthenticationHook::triggerLogout($auth->getUser());
         $auth->removeAuthorization();
         if ($isExternalUser) {
             $this->getResponse()->setHttpResponseCode(401);
diff --git a/application/forms/Authentication/LoginForm.php b/application/forms/Authentication/LoginForm.php
index 42ff10ed2..e8f053846 100644
--- a/application/forms/Authentication/LoginForm.php
+++ b/application/forms/Authentication/LoginForm.php
@@ -4,6 +4,7 @@
 namespace Icinga\Forms\Authentication;
 
 use Icinga\Application\Config;
+use Icinga\Application\Hook\AuthenticationHook;
 use Icinga\Authentication\Auth;
 use Icinga\Authentication\User\ExternalBackend;
 use Icinga\User;
@@ -95,6 +96,8 @@ class LoginForm extends Form
         $authenticated = $authChain->authenticate($user, $password);
         if ($authenticated) {
             $auth->setAuthenticated($user);
+            // Call provided AuthenticationHook(s) after successful login
+            AuthenticationHook::triggerLogin($user);
             $this->getResponse()->setRerenderLayout(true);
             return true;
         }
diff --git a/library/Icinga/Application/Hook/AuthenticationHook.php b/library/Icinga/Application/Hook/AuthenticationHook.php
new file mode 100644
index 000000000..7f159a2eb
--- /dev/null
+++ b/library/Icinga/Application/Hook/AuthenticationHook.php
@@ -0,0 +1,76 @@
+<?php
+
+namespace Icinga\Application\Hook;
+
+use Icinga\User;
+use Icinga\Web\Hook;
+use Icinga\Application\Logger;
+
+/**
+ * Icinga Web Authentication Hook base class
+ *
+ * This hook can be used to authenticate the user in a third party application.
+ * Extend this class if you want to perform arbitrary actions during the login and logout.
+ */
+abstract class AuthenticationHook
+{
+    /**
+     * Name of the hook
+     */
+    const NAME = 'authentication';
+
+    /**
+     * Triggered after login in Icinga Web and when calling login action even if already authenticated in Icinga Web
+     *
+     * @param User $user
+     */
+    public function onLogin(User $user)
+    {
+    }
+
+    /**
+     * Triggered before logout from Icinga Web
+     *
+     * @param User $user
+     */
+    public function onLogout(User $user)
+    {
+    }
+
+    /**
+     * Call the onLogin() method of all registered AuthHook(s)
+     *
+     * @param User $user
+     */
+    public static function triggerLogin(User $user)
+    {
+        /** @var AuthenticationHook $hook */
+        foreach (Hook::all(self::NAME) as $hook) {
+            try {
+                $hook->onLogin($user);
+            } catch (\Exception $e) {
+                // Avoid error propagation if login failed in third party application
+                Logger::error($e);
+            }
+        }
+    }
+
+    /**
+     * Call the onLogout() method of all registered AuthHook(s)
+     *
+     * @param User $user
+     */
+    public static function triggerLogout(User $user)
+    {
+        /** @var AuthenticationHook $hook */
+        foreach (Hook::all(self::NAME) as $hook) {
+            try {
+                $hook->onLogout($user);
+            } catch (\Exception $e) {
+                // Avoid error propagation if login failed in third party application
+                Logger::error($e);
+            }
+        }
+    }
+}
+