OAuth SSO
Requirements (on-premise)
10.0.x
8.1
8.2
11.0.0
8.2
8.4
Install the plugin
Go to the marketplace. Download Oauth SSO and enable it
External Authentication
The plugin uses GLPI's External Authentication functionality and to be functional, it needs some initial Setup.
Go to Setup > Authentication > Other authentication methods
In the Other authentication transmitted in the HTTP request section
The Storage fields for the identifier in the HTTP request field must be defined, usually HTTP_AUTH_USER.
The Delete the domain from identifiers of the form identifier@domain field can be set to Yes or No.
The users who are going to authenticate themselves will not be known to GLPI, so it is necessary to populate certain fields to create their record in GLPI with a minimum of information.
The fields that can be retrieved by SSO are as follows:
Last name : givenName
First name: familyName
Email: email
Email2: email2
Telephone number: phone
Mobile: mobile
Title: title
Language: language
Save your Setup
You must also activate the automatic addition of users in GLPI to create them in GLPI at the time of authentication
In the Setup > Authentication > Setup menu
The Automatically add users from external authentication sources field must be changed to Yes
Fetch information from user profile option
You can choose if you want to retrieve informations from the user profile. In setup > Oauth SSO applications select yes or no as required.
If OAuth SSO is your only source of authentication AND provisioning, we recommend that you set the Fetch information from user profile option to Yes so that user information can be fetched. Please note that claims must also be set correctly on the provider side.
If you are using an external provisioning source such as SCIM, we recommend that you set the Fetch information from user profile option to No so that user information is not overwritten and replaced by that of the OAuth SSO plugin.
Apple
Create a new identifier
Go to this page to configure the Apple provider
Create a new "Identifier" in the
Identifierstab.
Select
Apps IDs
Then continue
Select
type=>App
Then continue
Select
Sign in with Applecapability
Team IDcan be found here (1).Client IDcan be found here (2).
Key File and Key ID
Go here to create Key file
Enter a name and description (1).
Select
Sign in with AppleClick on
Configure(2) to selectApps IDpreviously created
After registering your app, you will be able to retrieve:
Key File(1)Key ID(2)
You now have all the necessary information to configure your provider in the OauthSSO plugin.
Please note: Processing of the Apple identifier and key may take some time on Apple's side; potentially, up to 48 hours.
Warning about fetching user information
Concerning firstname / lastname fetching. Please note that this information is only available during the user's first login, provided that the user consents to sharing their information. For subsequent logins, only the user identifier will be retrieved.
Entra
Register your application in Entra
First, register your application with your Entra Active Directory (Entra AD) client. This will provide you with an application ID for your application and allow it to receive tokens.
Connect to the Entra portal
Choose your Entra AD tenant by selecting your account in the top right corner of the page. Then select the Change directory navigation bar, then the desired tenant
Skip this step if you only have one Entra AD tenant under your account or if you have already selected one
In the Entra Portal, search for and select Entra Active Directory
From the left-hand Active Directory menu
select Application Registrations
Then New Registration.
Enter web in the redirect URI and paste the return URL of your GLPI instance:
Secret and certificate
In the certificates and secrets tab, create a new secret that will need to be transferred to your Oauth SSO application on the GLPI side:
When you click on add, the secret will only be available once. As soon as you leave this page, the secret will be hidden and we will no longer be able to access it. Remember to store it in a safe place as we will need it later
Claims
If you are using SSO V2, an additional step is required. The claims on the Entra side must be entered manually and should preferably be of type ID.
In the Token configuration tab
Click on Add an optional claim
Add the 4 claims below:
API authorisations
GLPI must be able to read user information in order to use it for connection - In API permissions - Click on the API already present (Microsoft Graph for our example)
Select :
email
offline_access
profile
user.read
Then remember to save your changes.
Setup GLPI
Entra AD provides a description with the essential information you need:
Specify an application name visible to end users.
Copy the values from the fields above:
Application ID
The holder ID
The value of the secret copied in the previous step
Please check that the value of the secret is filled in correctly.If the ID of the secret is copied, your application will fall into error.
Explanation of ID field
3 values are available in this insert:
User Principal Name (UPN): this option will show the full username of the user logging in ([email protected] for example). If you want only the username to be visible (without the @mondomaine.com, see the XXXXXXXXXX paragraph).
Entra user ID (OID): this option takes the object ID from the Entra AD. This ID will be used for the user login
Email address: This option specifies the user's email address. This field will be used for the login. If it is empty, the UPN will be used.
If you need to find your application in the Entra portal, select Application subscriptions, then Display all applications.
Google
Creating a project
From your Google console (administrator access is required)
Go to your organisation then new project
Enter the name of your project
Click on Create
Return to your organisation,
Select your project
Setup Oauth access
From the menu, click on APIs & Services
Then OAuth consent screen
Select the type of access that will be granted to the application (internal or external users)
Then click on Create.
Enter (as a minimum) a name for the application, an email address for application support and the developer's email address (this information is compulsory).
Click on Save and continue.
In the Scope section
Click on Add or remove application fields
Add auth/userinfo.email auth/userinfo.profile and openid
Click on Update
Then Save and continue
ID settings
From the Credentials menu
Click on Create credentials
Then Oauth client ID.
Select the type of application Web application
Enter an application name
In the Authorized redirect URIs section
Enter the GLPI Callback URL
Where can I find my callback URL?
Click on Create
A page appears with the identifier values. Keep this information as it will be requested in GLPI.
Setup GLPI
From Setup > Oauth SSO applications
Click on Add
Select Google in the Oauth provider field
Select the icon that will be visible on the home page
Enter the Client ID (number 1 on the previous screenshot)
Enter the Client secret (numbered 2 on the previous screenshot)
Enter the field user ID
Click on Add
From the home page, the new Oauth SSO login option will be visible:
OKTA
Create application
First, go to GLPI and download the Oauthsso plugin
Navigate to the Setup > Oauth SSO applications
Click on Add
Keep this window active and retain the callback URL :
In your OKTA interface, go to Applications
Create App Integration
Select option OIDC -- OpenID Connect in the 1st insert and Web Application in the second
Click on Next
Enter an application name and check the box Client credentials
Enter the return URL, retrieved above, in Sign-in redirect URIs.
Assignments
In the last box, select the option that suits you best (here we authorize all users present in OKTA)
Finally, click on Save
Setup GLPI
In GLPI, go back to the Oauth SSO plugin configuration window and enter your OKTA tenant information :
Give your provider a name, which will appear on the login page.
Indicate this as active
Enter OKTA as provider Oauth
Enter the application ID found in the application previously created in OKTA
Specify the ID field to be mapped with OKTA
Specify the customer secret available in OKTA in the previously created application
Enter the name of your OKTA instance (https://XXXXXXXXX.okta.com), available in the account creation confirmation e-mail.
Click on Add
In the plugin, you will see the approval message:
Now that the configuration is complete, you can test it with a user.
Keycloak
Create a REALM
After installing keycloak, go to the admin console:
http://XXXXXXXXXX:8080/admin or https://XXXXXXXXXX:8080/admin
Create your realm by clicking on master at the top left of your screen
Then create Realm
Give it a name that suits you
Click on Create
Create user
Then go to the Users tab
Then Create new user (we'll use a local user, but you can synchronize your LDAP if necessary)
Create your user according to your needs, remembering to check the Email verified box
Click on Create once you've entered your details.
Stay in your user file and click on Credentials
Then Set pasword
Configure the user password, taking care to indicate that the password is not temporary
Click on save then Save password
You can check that your configuration is correct by logging on to the user account console:
http://XXXXXXXXXXX/realms/GLPI/account/#/ or https://XXXXXXXXXXX/realms/GLPI/account/#/
(Remember to adapt the realm name if you haven't named it GLPI).
You will then be able to connect to the record of the previously created user or one of your LDAP users.
Create client
Now we can register our GLPI application with Keycloak
Go to Clients
Create client
Give your application a client ID, which you'll need to pass on to your GLPI Oauth SSO configuration
Click on next and make sure on the next page that the standard flow and client authentication options are active
Click on Save
Keep this page active, we'll come back to it later.
Setup GLPI
Go to GLPI
In Setup > Oauth SSO applications click on add (at the top of your screen)
Start by retrieving the return URL and pasting it into Keycloak's valid redirect URIs field
Back in GLPI's Oauth SSO plugin configuration, fill in the required fields:
Give your provider a name, which will appear on the login page for users
Activate this plugin so that it is visible and usable on the login page
Choose Keycloak as your Oauth provider
Enter the client name set above
Retrieve client secret from Keycloak (client, client_name, credentials)
Enter the discovery URL: http://mondomaine/realms/monrealms/.well-known/openid-configuration.
Click on Add
In the plugin, to see the approval message:
Now that configuration is complete, you can test the connection with the user you created earlier, or with your LDAP user.
Rules for assigning authorisations
Remember that Oauth SSO authentication allows only authentication, in the sense that no user management is carried out following authentication.
In most cases, it will therefore be necessary to establish rules for assigning authorisations to your users (to give them a profile, for example).
To do this, go to Administration > Rules > Rules for assigning authorisations to a user.
There are no 'mandatory' rules, it's up to you to create the rule(s) that you feel best suit your needs according to your available criteria.
For example, a very simple rule
A very simple rule -> I want my users with SSO authentication to obtain the Self-Service profile.
So I set my criteria and my action :
Forcing SSO authentication
Using the Oauth SSO application configuration, you can mask the internal database connection field to force the connection with your SSO application
(setup > Oauth SSO applications > setup)
Resources
FAQ
If you have any questions about using the plugin, please consult our FAQ
Last updated
Was this helpful?