# OAuth SSO ## Requirements (self-hosted) | GLPI Version | Minimum PHP | Recommended | | ------------ | ----------- | ----------- | | 10.0.x | 8.1 | 8.2 | | 11.0.x | 8.2 | 8.4 | {% hint style="info" %} A [GLPI Network BASIC](https://services.glpi-network.com/#offers) subscription (or higher) is required. This plugin is also available for all GLPI Network [Cloud instances](https://glpi-network.cloud). {% endhint %} {% hint style="warning" %} **For Google and OKTA** : only accepts public AND secure (https) URLs. If your GLPI URL is not accessible from the internet, this procedure will not apply. **For Entra and Keycloak** : Accepts private URLs (not available on the internet) but must be secured (https). {% endhint %} *** ## Install the plugin * Go to the marketplace. Download **Oauth SSO** and enable it

*** ## External Authentication The plugin uses GLPI's **External Authentication** functionality and to be functional, it needs some initial Setup. * Go to **Setup > Authentication > Other authentication methods** * In the **Other authentication transmitted in the HTTP request** section * The **Storage fields for the identifier in the HTTP request** field must be defined, usually **HTTP\_AUTH\_USER**. * The **Delete the domain from identifiers of the form identifier\@domain** field can be set to **Yes** or **No**. {% hint style="info" %} In the case of authentication via SSO, the option **Delete the domain of identifiers in the form identifier\@domain** can be set to **Yes**, which will allow 2 user records to be merged if they are already present in the database (internal or LDAP(S)). {% hint style="warning" %} Be careful because this option is subject to identity theft. If your application is open to users other than your own, it is possible that one user could be merged with another. For example, **** has a namesake but a different email address ****. By deleting the domain, the 2 records will be merged and the John Does will have the same account. {% endhint %} {% endhint %} The users who are going to authenticate themselves will not be known to GLPI, so it is necessary to populate certain fields to create their record in GLPI with a minimum of information. The fields that can be retrieved by SSO are as follows: * Last name : **givenName** * First name: **familyName** * Email: **email** * Email2: **email2** * Telephone number: **phone** * Mobile: **mobile** * Title: **title** * Language: **language**

* Save your Setup You must also activate the automatic addition of users in GLPI to create them in GLPI at the time of authentication * In the **Setup > Authentication > Setup** menu * The **Automatically add users from external authentication sources** field must be changed to **Yes**

*** ## Fetch information from user profile option You can choose if you want to retrieve informations from the user profile. In **setup > Oauth SSO applications** select yes or no as required. {% hint style="danger" %} If **OAuth SSO** is your **only source of authentication AND provisioning**, we recommend that you set the **Fetch information from user profile option** to **Yes** so that user information can be fetched. Please note that claims must also be set correctly on the provider side. If you are using an **external provisioning source** such as SCIM, we recommend that you set the **Fetch information from user profile option** to **No** so that user information is not overwritten and replaced by that of the OAuth SSO plugin. {% endhint %} *** ## Apple ### Create a new identifier * Go to this page to configure the [Apple provider](https://developer.apple.com/account/resources/certificates/list) * Create a new "Identifier" in the `Identifiers` tab.

* Select `Apps IDs`

* Then continue * Select `type` => `App`

* Then continue * Select `Sign in with Apple` capability

* `Team ID` can be found here (1). * `Client ID` can be found here (2).

### Key File and Key ID * Go here to create [Key file](https://developer.apple.com/account/resources/authkeys/list)

* Enter a name and description (1).

* Select `Sign in with Apple` * Click on `Configure` (2) to select `Apps ID` previously created

After registering your app, you will be able to retrieve: * `Key File` (1) * `Key ID` (2)

You now have all the necessary information to configure your provider in the OauthSSO plugin. {% hint style="warning" %} **Please note**: Processing of the Apple identifier and key may take some time on Apple's side; potentially, up to 48 hours. {% endhint %} Warning about fetching user information *** {% hint style="info" %} For now, only the `email`, `subject identifier` (sub), `firstname`, and `lastname` can be retrieved from the identity provider. {% endhint %} {% hint style="warning" %} Concerning `firstname` / `lastname` fetching. Please note that this information is only available **during the user's first login**, provided that the user **consents to sharing their information**. For subsequent logins, **only the user identifier** will be retrieved. {% endhint %} ## Entra ### Register your application in Entra First, register your application with your Entra Active Directory (Entra AD) client. This will provide you with an application ID for your application and allow it to receive tokens. * Connect to the [Entra portal](https://entra.microsoft.com/#home) * Choose your Entra AD tenant by selecting your account in the top right corner of the page. Then select the **Change directory** navigation bar, then the desired tenant * Skip this step if you only have one Entra AD tenant under your account or if you have already selected one

* In the Entra Portal, search for and select **Entra Active Directory** * From the left-hand **Active Directory** menu * select **Application Registrations** * Then **New Registration**.

* Enter **web** in the redirect URI and paste the return URL of your GLPI instance:

### Secret and certificate * In the **certificates and secrets** tab, create a new secret that will need to be transferred to your Oauth SSO application on the GLPI side:

{% hint style="warning" %} When you click on **add**, **the secret will only be available once**. As soon as you leave this page, **the secret will be hidden** and we will no longer be able to access it. Remember to **store it in a safe place** as we will need it later

{% endhint %} ### Claims {% hint style="warning" %} If you are using **SSO V2**, an additional step is required. The **claims** on the Entra side **must be entered manually** and should preferably be of type **ID**. {% endhint %} * In the **Token configuration** tab * Click on **Add an optional claim** * Add the 4 claims below:

### API authorisations GLPI must be able to read user information in order to use it for connection - In **API permissions** - Click on the API already present (Microsoft Graph for our example)

Select : * email * offline\_access * profile * user.read * Then remember to save your changes. ### Setup GLPI * Entra AD provides a description with the essential information you need:

* Specify an application **name** visible to end users.

Copy the values from the fields above: * Application ID * The holder ID * The **value** of the secret copied in the previous step {% hint style="warning" %} Please check that the **value** of the secret is filled in correctly.If the ID of the secret is copied, your application will fall into error. {% endhint %} ### Explanation of ID field * 3 values are available in this insert:

1. **User Principal Name (UPN)**: this option will show the full username of the user logging in ( for example). If you want only the username to be visible (without the @mondomaine.com, see the **XXXXXXXXXX** paragraph). 2. **Entra user ID (OID)**: this option takes the object ID from the Entra AD. This ID will be used for the user login

3. **Email address**: This option specifies the user's email address. This field will be used for the login. If it is empty, the UPN will be used. If you need to find your application in the Entra portal, select **Application subscriptions**, then **Display all applications**. *** ## Google ### Creating a project * From your [Google console](https://console.cloud.google.com/) (administrator access is required) * Go to your organisation then new project * Enter the name of your project * Click on **Create**

* Return to your organisation, * Select your project

### Setup OAuth access * From the menu, click on **`APIs & Services`** * Then **`OAuth consent screen`**

#### **Application Information** * From the preview, click **`Get started`** * Enter the application name and the user support email (users will be able to contact you with questions regarding their consent)

#### **Audience** * Indicate what type of audience will be able to use this application (here internal because the user who will be using the imap services is a user of the organization)

#### **Contact information** * Enter the contact name (this contact is notified of changes made to the application)

#### Google API Services User Data Policy * Accept the Google API Services User Data Policy and click **`Continue`** and **`Create`**

#### **Application Type** You now need to create an application client that will connect Google to your GLPI instance using an application ID and a client secret. * In the **Clients** tab, click **`Create a client`**. * Select **Web Application** as the application type. * Enter a name for your application.

#### **Authorised redirect URIs** The callback URL must be specified here. This URL is found in GLPI under **`Configuration`** > **`OAuth SSO`**. **Getting the callback URL in GLPI** * From **`Setup`** > **`OAuth SSO`** > **`+ Add`** * Name your application * Specify the **OAuth Provider** * Click **`+ Add`**

* On the next screen, retrieve the callback URL

* Copy and paste this URL into your Google app.

* Click **`Create`** to validate your application. ### Application Information {% hint style="warning" %} In the next step, the **client secret** will be displayed. Once you leave this screen, it will no longer be available. Remember to save it in a safe place. {% endhint %} The application is now created. The screen displays the application ID and client secret, which you will need to enter in GLPI.

* Save your entry ### Optional information If you enable fetch of profile information from OAuth single sign-on, additional information will be required for it to be visible to GLPI. * From the **Data Access** tab, click **`Add or remove scopes`** * Add the following levels: * **auth/userinfo.email** * **auth/userinfo.profile** * **openid**

* From the home page, the new Oauth SSO login option will be visible:

images/oauth-sso-google-11.png — GLPI homepage with OAuth SSO

{% hint style="info" %} The first time a user logs on, they will be asked to accept access authorisations for their profile {% endhint %} *** ## OKTA ### Create application * First, go to GLPI and download the Oauthsso plugin * Navigate to the **Setup > Oauth SSO applications** * Click on **Add**

* Keep this window active and retain the callback URL :

* In your OKTA interface, go to **Applications** * **Create App Integration**

* Select option **OIDC -- OpenID Connect** in the 1st insert and **Web Application** in the second * Click on **Next**

* Enter an application name and check the box **Client credentials**

* Enter the return URL, retrieved above, in Sign-in redirect URIs.

### Assignments * In the last box, select the option that suits you best (here we authorize all users present in OKTA) * Finally, click on **Save**

### Setup GLPI * In GLPI, go back to the Oauth SSO plugin configuration window and enter your OKTA tenant information :

1. Give your provider a name, which will appear on the login page. 2. Indicate this as active 3. Enter OKTA as provider Oauth 4. Enter the application ID found in the application previously created in OKTA

1. Specify the ID field to be mapped with OKTA 2. Specify the customer secret available in OKTA in the previously created application

7. Enter the name of your OKTA instance ([https://XXXXXXXXX.okta.com](https://xxxxxxxxx.okta.com)), available in the account creation confirmation e-mail. * Click on **Add** * In the plugin, you will see the approval message:

Now that the configuration is complete, you can test it with a user.

*** ## Keycloak ### Create a REALM * After installing keycloak, go to the admin console: [http://XXXXXXXXXX:8080/admin](http://xxxxxxxxxx:8080/admin) or [https://XXXXXXXXXX:8080/admin](https://xxxxxxxxxx:8080/admin) * Create your **realm** by clicking on **master** at the top left of your screen * Then **create Realm** * Give it a name that suits you * Click on **Create**

### Create user * Then go to the **Users** tab * Then **Create new user** (we'll use a local user, but you can synchronize your LDAP if necessary)

* Create your user according to your needs, remembering to check the Email verified box * Click on **Create** once you've entered your details.

* Stay in your user file and click on **Credentials** * Then **Set pasword**

* Configure the user password, taking care to indicate that the password is not temporary * Click on save then **Save password**

You can check that your configuration is correct by logging on to the user account console: [http://XXXXXXXXXXX/realms/GLPI/account/#/](http://xxxxxxxxxxx/realms/GLPI/account/#/) or [https://XXXXXXXXXXX/realms/GLPI/account/#/](https://xxxxxxxxxxx/realms/GLPI/account/#/) (Remember to adapt the realm name if you haven't named it GLPI). You will then be able to connect to the record of the previously created user or one of your LDAP users. ### Create client Now we can register our GLPI application with Keycloak * Go to **Clients** * Create client

* Give your application a client ID, which you'll need to pass on to your GLPI Oauth SSO configuration * Click on next and make sure on the next page that the **standard flow** and **client authentication** options are active * Click on **Save** Keep this page active, we'll come back to it later.

### Setup GLPI * Go to GLPI * In **Setup > Oauth SSO applications click on add** (at the top of your screen)

* Start by retrieving the return URL and pasting it into Keycloak's **valid redirect URIs** field

* Back in GLPI's Oauth SSO plugin configuration, fill in the required fields:

1. Give your provider a name, which will appear on the login page for users 2. Activate this plugin so that it is visible and usable on the login page 3. Choose Keycloak as your Oauth provider 4. Enter the client name set above 5. Retrieve client secret from Keycloak (client, client\_name, credentials)

6. Enter the discovery URL: . * Click on **Add** In the plugin, to see the approval message:

Now that configuration is complete, you can test the connection with the user you created earlier, or with your LDAP user.

*** ## Rules for assigning authorisations Remember that Oauth SSO authentication allows **only authentication**, in the sense that no user management is carried out following authentication. In most cases, it will therefore be necessary to establish rules for assigning authorisations to your users (to give them a profile, for example). * To do this, go to **Administration > Rules > Rules for assigning authorisations to a user**. There are no 'mandatory' rules, it's up to you to create the rule(s) that you feel best suit your needs according to your available criteria. For example, a very simple rule * A very simple rule -> *I want my users with SSO authentication to obtain the Self-Service profile*. So I set my criteria and my action :

*** ## Forcing SSO authentication Using the Oauth SSO application configuration, you can mask the internal database connection field to **force** the connection with your SSO application (setup > Oauth SSO applications > setup)

*** ## Resources * [Documentation Oauth SSO client for GLPI](https://services.glpi-network.com/documentation/1731/file/README.md) * [Documentation Microsoft Configure your App Service Or Entra Functions app to use Entra AD login](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-tenant) * [Documentation OKTA Configure single Sign-On options](https://help.okta.com/oie/en-us/content/topics/apps/apps_overview_of_managing_apps_and_sso.htm) * [Documentation Keycloak Managing OpenID connect Clients](https://www.keycloak.org/docs/latest/server_admin/#_oidc_clients) *** ## FAQ If you have any questions about using the plugin, please consult our FAQ Go to FAQ