# SAML
## Requirements (self-hosted)
| GLPI Version | Minimum PHP | Recommended |
| ------------ | ----------- | ----------- |
| 10.0.x | 8.1 | 8.2 |
{% hint style="info" %}
This plugin is available without a [GLPI Network](https://services.glpi-network.com/#offers) subscription. It is also available on [GLPI Cloud](https://glpi-network.cloud).
{% endhint %}
{% hint style="info" %}
**We recommend using the** [OAuth SSO](/doc-plugins/plugin-glpi-network/oauthsso.md) **and** [SCIM ](/doc-plugins/plugin-glpi-network/scim.md)**plugins if you need autologin or user provisioning, officially supported by the publisher.**
But we suggest using this plugin if SAML protocol is mandatory for your organization.
{% endhint %}
{% hint style="warning" %}
You need an admin access to the Entra/Google console to setup the application
{% endhint %}
***
## Download the plugin
* From the marketplace (**Setup > Plugins**), download the **GLPI SAML** plugin
***
## Entra
### Add a new SAML Application on GLPI
First of all, you need to add a SAML application on GLPI because we need to report some information on GLPI <-> Entra/Google.
* In **Setup** > **SAML SSO Applications**, click on **+ Add**
* Give a **name** to your application
* Click on **is active**
* Click on **Save**
* For Entra, in **Transit** tab, select :
* Compress requests
* Compress responses
### Add an app in Entra
* Connect to your [Entra portal](https://portal.azure.com/#home)
* Click on **Entreprise Application**
* **And + New application**
* In the search bar, enter **saml toolkit**
* Click on **Microsoft Entra SAML Toolkit**
* Optionnal : You can rename this app
* Click on **Create**
When the application is created :
* Go to **Single sign-on**
* Click on SAML
### Setup the app
* In the 1st insert, click on **Edit**
* Copy the values as follows
### Setup the Service Provider
In **SP certificate** and **SP Private Key**, copy/paste your certificate in place of those already present. There are no strict requirements for these certificates, other than that they are valid X509 certificates.
### Setup the Identity Provider
* In the third insert of Entra app, click on **Download** from **Certificate (Base64)**
* **Open** this certificate with notepad ++ (or other tool which can read this type of certificate)
* **Copy** the content of the certificate in GLPI with the tags
* **Paste** the certificate in **Identity provider** > **X509 certificate**
* Then fill in the fields as follows withe the informations in the fourth insert :
{% hint style="info" %}
It is advisable to use **none** as the **REQ AUTHN CONTEXT**
{% endhint %}
### Security
For a production instance, you must activate the **Strict** option.
We advise you to activate **JIT user creation**. This will allow the rules you create from JIT Rules to be applied.
{% hint style="warning" %}
For the plugin to authenticate a user, the field must contain a **valid UPN** formatted **as an email**. This behaviour can lead to duplicate entries in GLPI when users leave Ldap. This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name (old netbui names) as the UPN in entra. As a result, the nameId field in the samlResponse will not be populated with a valid email address. The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a unique identifier is used to allow authorisation of a specific GLPI user.
{% endhint %}
### Add users allowed to use SAML
SAML needs users/groups to be added so that they are authorised to use authentication.
* Click on **users and groups** tab,
* Click on **+ Add user/group**
* Select all the users and groups required
* Click on **Assign**
### Mapping
If you wish to add additional information to your profile, you can use Attributes & Claims. Your profile will be populated with the information entered in Entra.
* In **Single sign on**, click on **Edit**
* Copy the URL of the one of the other claim
* Click on **+ Add new claim**
* Select a name
* Paste the URL you've just copied ine **Namespace**
* Selct **attribute**
* Search the value that you want in the **Source attribute**
* Save your modification
* Repeat this step for all the desired values
### Rules for assigning authorisations
It will be necessary to establish rules for assigning authorisations to your users (to give them a profile, for example).
To do this, go to **Administration** > **Rules** > **GLPI SAML - Saml import rules** or by the button **JIT Rules** directly in the plugin
>
A hard limitation in the current plugin is that the rules can only be bound to the 'email' condition. We are planning to allow binding it to additional SamlClaims, currently it only allows the value communicated via the nameId property or emailaddress claim.
For example, you want your users with SAML authentication to obtain the Self-Service profile.
You would set your criteria and action as shown here:
>
### Sources
Microsoft Entra :
Google :
***
## Google
### Add a new SAML Application on GLPI
First of all, you need to add a SAML application on GLPI because we need to report some information on GLPI <-> Entra/Google.
* In **Setup** > **SAML SSO Applications**, click on **+ Add**
* Give a **name** to your application
* Click on **is active**
* Click on **Save**
### Add an app in Google
* Connect to your [Google portal](https://accounts.google.com/)
* Click on **Apps**
* Cick on **Web and mobile apps**
* Then, click on **Add app**
* And **Add custom SAML app**
* Name your application
* Click on **Continue**
* Click on **Save** on GLPI.
### Setup the Identity Provider
* Enter the values as shown in the 2 screenshots below
{% hint style="info" %}
Copy/paste the content of the certificate in GLPI with the tags *---BEGIN CERTIFICATE--- ---END CERTIFICATE---*
{% endhint %}
### Setup the Service Provider
* In Service provider details, report the values from GLPI to Google :
* From Google, select **EMAIL** in **Name ID format**
* In **Name ID**, select **Basic information > Primary email**
* From GLPI, select **Email Address** in **NAMEID FORMAT**
In **SP certificate** and **SP Private Key**, copy/paste your certificate in place of those already present. There are no strict requirements for these certificates, other than that they are valid X509 certificates.
* Click on **Continue**
* Then **Finish**
Your app is now created
### Security
For a production instance, in GLPI, you must activate the **Strict** option in setup plugin SAML.
We advise you to activate **JIT user creation**. This will allow the rules you create from JIT Rules to be applied.
{% hint style="warning" %}
For the plugin to authenticate a user, the field must contain a **valid UPN** formatted **as an email**. This behaviour can lead to duplicate entries in GLPI when users leave Ldap. This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name (old netbui names) as the UPN in entra. As a result, the nameId field in the samlResponse will not be populated with a valid email address. The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a unique identifier is used to allow authorisation of a specific GLPI user.
{% endhint %}
### Add users allowed to use SAML
SAML needs users/groups to be added so that they are authorised to use authentication.
* On your appl, click on **Viex details** tab in **User access**
* Click on **On for everyone**
* Click on **Save**
### Mapping
If you wish to add additional information to your profile, you can use Attributes. Your profile will be populated with the information entered in Entra.
* In you app, click on **Configure SAML attribute mapping** in **SAML attribute mapping**
* Copy the URL of the one of the other claim
* Add informations that you want
* Click on **Save**
### Rules for assigning authorisations
It will be necessary to establish rules for assigning authorisations to your users (to give them a profile, for example).
To do this, go to **Administration** > **Rules** > **GLPI SAML - Saml import rules** or by the button **JIT Rules** directly in the plugin
>
A hard limitation in the current plugin is that the rules can only be bound to the 'email' condition. We are planning to allow binding it to additional SamlClaims, currently it only allows the value communicated via the nameId property or emailaddress claim.
For example, you want your users with SAML authentication to obtain the Self-Service profile.
You would set your criteria and action as shown here:
>
### Sources
Microsoft Entra :
Google :
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.glpi-project.org/doc-plugins/plugins-glpi/saml.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.