DownloadGLPI ChangelogPricesGLPI Website45-day free trial

SAML

Requirements (on-premise)

GLPI Version
Minimum PHP
Recommended

10.0.x

8.1

8.2

This plugin is available without a GLPI Network subscription. It is also available on GLPI Cloud.

We recommend using the OAuth SSO and SCIM plugins if you need autologin or user provisioning, officially supported by the publisher.

But we suggest using this plugin if SAML protocol is mandatory for your organization.

You need an admin access to the Entra/Google console to setup the application

Download the plugin

  • From the marketplace (Setup > Plugins), download the GLPI SAML plugin

images/download-plugin.png

Entra

Add a new SAML Application on GLPI

First of all, you need to add a SAML application on GLPI because we need to report some information on GLPI <-> Entra/Google.

  • In Setup > SAML SSO Applications, click on + Add

  • Give a name to your application

  • Click on is active

  • Click on Save

Add GLPI app

  • For Entra, in Transit tab, select :

    • Compress requests

    • Compress responses

Setup the transit

Add an app in Entra

  • Connect to your Entra portal

  • Click on Entreprise Application

  • And + New application

  • In the search bar, enter saml toolkit

  • Click on Microsoft Entra SAML Toolkit

create app entra

  • Optionnal : You can rename this app

  • Click on Create

When the application is created :

  • Go to Single sign-on

  • Click on SAML

create SAM app entra

Setup the app

  • In the 1st insert, click on Edit

  • Copy the values as follows

Report the values in entra
See the values in GLPI

Setup the Service Provider

In SP certificate and SP Private Key, copy/paste your certificate in place of those already present. There are no strict requirements for these certificates, other than that they are valid X509 certificates.

setup the values

Setup the Identity Provider

  • In the third insert of Entra app, click on Download from Certificate (Base64)

Download certificate

  • Open this certificate with notepad ++ (or other tool which can read this type of certificate)

  • Copy the content of the certificate in GLPI with the tags

  • Paste the certificate in Identity provider > X509 certificate

  • Then fill in the fields as follows withe the informations in the fourth insert :

Paste certificate and setup the values
setup the values

It is advisable to use none as the REQ AUTHN CONTEXT

Security

For a production instance, you must activate the Strict option.

We advise you to activate JIT user creation. This will allow the rules you create from JIT Rules to be applied.

options for security

For the plugin to authenticate a user, the field must contain a valid UPN formatted as an email. This behaviour can lead to duplicate entries in GLPI when users leave Ldap. This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name (old netbui names) as the UPN in entra. As a result, the nameId field in the samlResponse will not be populated with a valid email address. The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a unique identifier is used to allow authorisation of a specific GLPI user.

Add users allowed to use SAML

SAML needs users/groups to be added so that they are authorised to use authentication.

  • Click on users and groups tab,

  • Click on + Add user/group

  • Select all the users and groups required

  • Click on Assign

add user allowed

Mapping

If you wish to add additional information to your profile, you can use Attributes & Claims. Your profile will be populated with the information entered in Entra.

  • In Single sign on, click on Edit

  • Copy the URL of the one of the other claim

Copy the URL schema

  • Click on + Add new claim

  • Select a name

  • Paste the URL you've just copied ine Namespace

  • Selct attribute

  • Search the value that you want in the Source attribute

  • Save your modification

  • Repeat this step for all the desired values

add claims in Entra
see claims in Entra

Rules for assigning authorisations

It will be necessary to establish rules for assigning authorisations to your users (to give them a profile, for example).

To do this, go to Administration > Rules > GLPI SAML - Saml import rules or by the button JIT Rules directly in the plugin

add rule

A hard limitation in the current plugin is that the rules can only be bound to the 'email' condition. We are planning to allow binding it to additional SamlClaims, currently it only allows the value communicated via the nameId property or emailaddress claim.

For example, you want your users with SAML authentication to obtain the Self-Service profile.

You would set your criteria and action as shown here:

manage cable type

Sources

Microsoft Entra : https://learn.microsoft.com/en-us/entra/architecture/auth-saml

Google : https://support.google.com/a/answer/6087519?hl=en

Google

Add a new SAML Application on GLPI

First of all, you need to add a SAML application on GLPI because we need to report some information on GLPI <-> Entra/Google.

  • In Setup > SAML SSO Applications, click on + Add

  • Give a name to your application

  • Click on is active

  • Click on Save

Add GLPI app

Add an app in Google

  • Connect to your Google portal

  • Click on Apps

  • Cick on Web and mobile apps

  • Then, click on Add app

  • And Add custom SAML app

create app Google

  • Name your application

  • Click on Continue

give a name to your app

  • Click on Save on GLPI.

Setup the Identity Provider

  • Enter the values as shown in the 2 screenshots below

IDP info Google
report the values in GLPI

Copy/paste the content of the certificate in GLPI with the tags ---BEGIN CERTIFICATE--- ---END CERTIFICATE---

Setup the Service Provider

  • In Service provider details, report the values from GLPI to Google :

Service provider info GLPI
Report the values form GLPI

  • From Google, select EMAIL in Name ID format

  • In Name ID, select Basic information > Primary email

  • From GLPI, select Email Address in NAMEID FORMAT

In SP certificate and SP Private Key, copy/paste your certificate in place of those already present. There are no strict requirements for these certificates, other than that they are valid X509 certificates.

setup the values

  • Click on Continue

  • Then Finish

Your app is now created

Your app is now created

Security

For a production instance, in GLPI, you must activate the Strict option in setup plugin SAML.

We advise you to activate JIT user creation. This will allow the rules you create from JIT Rules to be applied.

options for security

For the plugin to authenticate a user, the field must contain a valid UPN formatted as an email. This behaviour can lead to duplicate entries in GLPI when users leave Ldap. This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name (old netbui names) as the UPN in entra. As a result, the nameId field in the samlResponse will not be populated with a valid email address. The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a unique identifier is used to allow authorisation of a specific GLPI user.

Add users allowed to use SAML

SAML needs users/groups to be added so that they are authorised to use authentication.

  • On your appl, click on Viex details tab in User access

  • Click on On for everyone

  • Click on Save

Allow users to use app

Mapping

If you wish to add additional information to your profile, you can use Attributes. Your profile will be populated with the information entered in Entra.

  • In you app, click on Configure SAML attribute mapping in SAML attribute mapping

  • Copy the URL of the one of the other claim

  • Add informations that you want

  • Click on Save

add attributes for Google
Allow users to use app

Rules for assigning authorisations

It will be necessary to establish rules for assigning authorisations to your users (to give them a profile, for example).

To do this, go to Administration > Rules > GLPI SAML - Saml import rules or by the button JIT Rules directly in the plugin

add rule

A hard limitation in the current plugin is that the rules can only be bound to the 'email' condition. We are planning to allow binding it to additional SamlClaims, currently it only allows the value communicated via the nameId property or emailaddress claim.

For example, you want your users with SAML authentication to obtain the Self-Service profile.

You would set your criteria and action as shown here:

manage cable type

Sources

Microsoft Entra : https://learn.microsoft.com/en-us/entra/architecture/auth-saml

Google : https://support.google.com/a/answer/6087519?hl=en

PreviousRenamerNextSCCM

Last updated

Was this helpful?