GLPI and Single Sign On (SSO)

rsimoes · 2020-12-11 17:36:28

Good afternoon everyone,

We started a new project, in our company, using GLPI.

At this point, we are now able to authenticate ourselves to the application with domain accounts.

However, to make life easier for users, we intended to implement SSO "mechanism".

We have searched in several forums, but without success so far.

Our configuration is as follows:
Version GLPI: glpi-9.5.3
HTTP Server: Apache/2.4.41
OS: Ubuntu 20.04.1 LTS
DB: 10.3.25-MariaDB-0ubuntu0.20.04.1

Best regards

vincent_de · 2020-12-11 19:15:30

Hello,

For that we use a CAS server.
In GLPI it is configured in configuration>authentication>others.
You have to install phpcas, it is not included anymore.
is this what you are looking for ?

Best regards,

mklimasz · 2020-12-14 12:25:18

Hi

We're using PHP SAML plugin there and it works as expected. Configuration is easy (just the landing page and certificate), yet some care must be taken, because I haven't really discovered any way to bypass the SSO once it is enabled (one of my other posts on this forum) - and if something would just prevent authentication, then the only way I know is via direct GLPI database modification (to disable the plugin).

rsimoes · 2020-12-14 19:52:43

Good afternoon. Thanks for the answer.
It is a good solution. Do you have any example of configuration with Microsoft active directory ?.

Any tips?

Greetings

vincent_de wrote:

Hello,
For that we use a CAS server.
In GLPI it is configured in configuration>authentication>others.
You have to install phpcas, it is not included anymore.
is this what you are looking for ?
Best regards,

rsimoes · 2020-12-14 19:56:21

Good afternoon. Thanks for the answer.
This plugin would also be interesting but we wanted to maintain the various types of authentication and not just SSO.

greetings

mklimasz wrote:

Hi
We're using PHP SAML plugin there and it works as expected. Configuration is easy (just the landing page and certificate), yet some care must be taken, because I haven't really discovered any way to bypass the SSO once it is enabled (one of my other posts on this forum) - and if something would just prevent authentication, then the only way I know is via direct GLPI database modification (to disable the plugin).

finalbeta · 2020-12-26 21:33:00

We user a reverse proxy (KEMP) in the past that authenticated the user and send the username/password as HTTP authentication to the backend GLPI server in the past.
Now I use Azure Application proxy to authenticate users against AzureAD. The Application proxy then sends the logon in the HTTP header (that feature is in public preview). GLPI then picks up the username through HTTP authentication again. The advantage on that is I have no open ports to my DC and I don't need LDAP/SAML etc that takes it's own kind of special config.

rsimoes · 2021-03-25 12:40:01

Thanks for the answer. We do not currently have a license for azure AD. But this solution is very interesting

oj69 · 2021-03-28 08:42:30

mklimasz wrote:

Hi
We're using PHP SAML plugin there and it works as expected.

Is the PHP SAML plugin only available with a paid subscription ?

derricksmith01 · 2021-03-31 19:25:16

oj69 wrote:

mklimasz wrote:
Hi
We're using PHP SAML plugin there and it works as expected.
Is the PHP SAML plugin only available with a paid subscription ?

Hi there, I'm the plugin author and it was released AGPL - no subscription necessary. Happy to answer any questions.

Megachip · 2022-10-31 14:24:02

Have good experiences with https://github.com/edgardmessias/glpi-singlesignon Esp. cause the SAML plugin isn't available for newer glpi releases

Last edited by Megachip (2022-10-31 14:25:24)

elprimo · 2022-11-09 12:15:23

Hey! could you please provide us the configuration of adding a provider on this plusin. Also do you know what app permission to attribute for azure application while registering it for GLPI-SSO ?

Megachip wrote:

Have good experiences with /github..../glpi-singlesignon Esp. cause the SAML plugin isn't available for newer glpi releases

Last edited by elprimo (2022-11-09 12:16:30)

edward · 2023-03-15 07:52:15

derricksmith01 wrote:

oj69 wrote:
mklimasz wrote:
Hi
We're using PHP SAML plugin there and it works as expected.
Is the PHP SAML plugin only available with a paid subscription ?
Hi there, I'm the plugin author and it was released AGPL - no subscription necessary. Happy to answer any questions.

derricksmith01 wrote:

Hello, I'm the creator of the PHPSAML plugin that is available on the glpi-plugins site. The plugin implaments SAML authentication in GLPI and has several configuration options to make it flexible. Check out my repo at for the latest updates or if you have any issues.

Hi Derrick,

I've setup and used your plugin.
I'm using glpi v 10.0.0.6 and the plugin(1.2.1) doesn't seem to create a configuration node under setup, I have to access the configuration from the plugins page.

I noticed the plugin doesn't seem to pull the users firstname
I want to pull additional info from azure
I would like to pull additional attributes and user groups from azure.

I want to pull these groups into glpi groups so I can do different assignments based on groups.

shigol · 2023-07-26 13:17:58

I install PHP SAML plugin
Can you tell me why I get a blank page if I open GLPI_HOME/plugins/phpsaml/front/meta.php

All data is filled in GLPI_HOME/plugins/phpsaml/front/config.php

Last edited by shigol (2023-07-26 13:19:52)

alcionemorais · 2023-12-27 20:12:33

Can you help me with plugin: glpi-singlesignon
Send a printout of how you used it to alcione-morais@hotmail.com
thank you very much

donutsNL · 2024-04-02 01:05:06

Hi there.

I have been maintaining the phpsaml repository for over a year now. My updated version should work on the latest glpi. github.com/DonutsNL/phpsaml

I have also been rewriting the plugin to utilize native glpi objects where possible. I could realy use some help with testing. The beta can be found here: github.com/DonutsNL/glpisaml

Regards, DonutsNL

khaegebaert · 2024-04-16 16:10:52

H DonutsNL, hope you're still working on this, the link to github is down, found the repository at https://packagist.org/packages/donutsnl/glpisaml#v1.1.0
I'm trying to test it out but need some info...

Mamo · 2024-05-20 14:26:50

Hi everybody,

I have question about LDAP user properties.

I use GLPISAML plugin for SSO and it works. I use AD FS as IdP.
When it creates new user, it puts "username" and "email" into GLPI user db. I set some settings by "GLPI SAML - Saml import rules".

Can someone answer me?
Is it any way to get other user properties from LDAP IdP by using GLPISAML plugin?

I thought of using the built-in support for LDAP (Setup/Authencation/LDAP directory) to update glpi user properties from LDAP. I'm not sure if this is the right way at all and if it will work.

Thanks for answer.
Martin

Mamo · 2024-05-20 14:29:47

I forgot to add - I use Linux Debian and Apache2.

sIBajHYG · 2024-05-20 18:05:31

Mamo wrote:

Hi everybody,
I have question about LDAP user properties.
Thanks for answer.
Martin

When importing new groups, importing/synchronizing users (LDAP) - you can get all attributes from the Active Directory.

Connection Filter: (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(samaccountname=*$)))
Login Field: samaccountname

Last edited by sIBajHYG (2024-05-20 19:06:09)

Mamo · 2024-05-21 10:18:40

Thank you for your response.

Yes, I understand it.
But can I combine it with the GLPISAML plugin?

donutsNL · 2024-05-28 00:36:34

Hi,
My latest (still being tested) version should allow both ldap sync and auth using saml. Make sure that the nameID saml property is populated by the Entra/Idp with what ever ldap sets to the username during sync and that the NameId format is compliant with that property. The latest version is available in my branch, BE AWARE ITS NOT FULLY TESTED YET. For help create an issue in my @codeberg repo or join my Discord (link in the plugins readme.md).

Rgrds,

h t t p s://codeberg.org/QuinQuies/glpisaml/src/branch/DonutsNL-v1.1.3

Last edited by donutsNL (2024-05-28 00:37:51)

joseluis.teixeira · 2024-05-28 12:01:49

Thank you for sharing!

SAML and SSO will be on my project soon, will test it!

Forum GLPI-Project

Announcement

#1 2020-12-11 17:36:28

GLPI and Single Sign On (SSO)

#2 2020-12-11 19:15:30

Re: GLPI and Single Sign On (SSO)

#3 2020-12-14 12:25:18

Re: GLPI and Single Sign On (SSO)

#4 2020-12-14 19:52:43

Re: GLPI and Single Sign On (SSO)

#5 2020-12-14 19:56:21

Re: GLPI and Single Sign On (SSO)

#6 2020-12-26 21:33:00

Re: GLPI and Single Sign On (SSO)

#7 2021-03-25 12:40:01

Re: GLPI and Single Sign On (SSO)

#8 2021-03-28 08:42:30

Re: GLPI and Single Sign On (SSO)

#9 2021-03-31 19:25:16

Re: GLPI and Single Sign On (SSO)

#10 2022-10-31 14:24:02

Re: GLPI and Single Sign On (SSO)

#11 2022-11-09 12:15:23

Re: GLPI and Single Sign On (SSO)

#12 2023-03-15 07:52:15

Re: GLPI and Single Sign On (SSO)

#13 2023-07-26 13:17:58

Re: GLPI and Single Sign On (SSO)

#14 2023-12-27 20:12:33

Re: GLPI and Single Sign On (SSO)

#15 2024-04-02 01:05:06

Re: GLPI and Single Sign On (SSO)

#16 2024-04-16 16:10:52

Re: GLPI and Single Sign On (SSO)

#17 2024-05-20 14:26:50

Re: GLPI and Single Sign On (SSO)

#18 2024-05-20 14:29:47

Re: GLPI and Single Sign On (SSO)

#19 2024-05-20 18:05:31

Re: GLPI and Single Sign On (SSO)

#20 2024-05-21 10:18:40

Re: GLPI and Single Sign On (SSO)

#21 2024-05-28 00:36:34

Re: GLPI and Single Sign On (SSO)

#22 2024-05-28 12:01:49

Re: GLPI and Single Sign On (SSO)

Board footer