SCIM
Requirements (on-premise)
10.0.x
8.1
8.2
11.0.0
8.2
8.4
The SCIM API endpoint provided by the plugin must be accessible from the identity provider. If we talk about Azure or Okta, this particular URL should be available from the internet. We suggest strongly to limit the IP addresses that can access this URL (in addition of adding a strong authentication method).
Password/SSO
Although it's mentioned in the SCIM specifications, password sync is not always available depending on the provider:
Azure: not available
Okta: available
Instead of pushing passwords, we strongly recommend that you use OAuth SSO to connect your users to GLPI
Install the plugin
From the marketplace, download the SCIM plugin
Setup GLPI
You must declare an identity server in the plugin configuration (You can add any number).
Go to your instance GLPI
Select Setup > SCIM Identity servers
Click + Add
Add a name
Select the admin account who can update your GLPI's datas
Click Activate
Select the Baerer method
click + Add
You can see now the API URL
Make sure you paste the token (Jwt token) to ensure your application works properly.
You'll be given an API URL you may paste into your identity provider configuration. Check the specific provider documentation for more details.
You may set some optional parameters :
Save requests in logs: if checked, all requests will be saved in the "Historical" tab of your declared server.
Default server: if checked, this server will be used by default without providing it's ID in the API URL.
Security: a dropdown of available security methods. Currently implemented:
None: no security, anyone can access the API.
Basic: HTTP Basic authentication. You must provide a username and a password.
Digest: HTTP Digest authentication. You must provide a username and a password.
Bearer: HTTP Bearer authentication. A long lived (10 years) JWT token will be generated.
OAuth2: OAuth2 authentication. You must provide at least a valid redirection URI. We support the following flows:
Authorization code.
Client credentials.
Your SCIM server is now ready to receive requests from your identity provider.
Entra
References
Setup
Create application
Connect to your Azure portal
Click on Add
then Enterprise application.
Click on Create your application.
In the section that appears on the right, enter the name of your application and choose the 3rd option `integrate any other application don't find in the gallery`.
Setup the application
Once you've created your application, go to Provisioning.
Select Automatic.
Specify the URL generated earlier from GLPI and paste the token.
Make sure you paste the token (JWT token) to ensure your application works properly.
Click on Test connection. A message will appear informing you of the successful connection.
On the same page, you can also configure an email address and a number in case of failure or accidental deletions.
Click on Save
Synchronising all users
You can choose to synchronise your entire directory.
Go to the Settings > Scope tab and select Sync all users and groups.
Synchronising selected groups and users (default option)
You can choose to synchronise only certain groups and/or users. When refreshing the `Provisioning` page
Go to the Parameters > Scope tab
Select Synchronise assigned users and groups only
Then go to Users and groups
Click on Add a user/group
Click on No selection
Select the groups and users you want in the box on the right
Then Select and Assign.
Activate provisioning
In the Provisioning section
Change the status from Disabled to Enabled
Check synchronisation status
In the Overview section, you can check that synchronisation has been successful.
On the GLPI side, Go to the Request log section of your SCIM plugin Setup > SCIM identity servers to check that the accounts are correctly synchronised.
See the procedure for setting up the OAuth SSO plugin to authenticate users on GLPI.
OKTA
References
Create application
From your OKTA portal
Click on Applications
And Create app integration
Select SWA - Secure Web Authentication
Add a name to your application
Add the URL of your GLPI instance (this will redirect your user to your GLPI if this application is avaiblable to the OKTA user portal)
Click Finish
Setup the application
Go back to General
Click Edit
Name the label
Select SCIM to activate the service
Click Save
To setup the provisioning, you need to setup GLPI. Refer to setup GLPI to configure URL API and JWT Token
Copy the API URL and the JWT token, you need to paste this information in OKTA.
Go back to your OKTA application
Paste the API URL
Select the Unique identifier field for users (name.familyName, phoneNumber, name.givenName, id, userName, email, etc. This will be the method to authenticate the users)
Select the actions which can be supported
Select HTTP Header
Paste the JWT token
You need to paste the JWT token not the secret
Click Test Connector Configuration
you can now close this window and save your configuration
Always in provisioning, you can edit and select the possible actions for updating your user data.
We recommand to unselect Sync Password and use OAuth SSO to authenticate your user.
The last step is to assign your application to users
Synchronising all users
Go to admin console
Select Directory > Groups
Select Everyone
In Applications, click Assign applications
Click on assign on your SCIM application
Click Save and Go Back
Synchronising selected groups and users
Go to admin console
Select Directory > People
Select the User you want to import
In Applications, click Assign applications
Click on assign on your SCIM application
Click Save and Go Back
Repeat this step for all users and groups you want to import.
See the procedure for setting up the OAuth SSO plugin to authenticate users in GLPI.
FAQ
If you have any questions about using the plugin, please consult our FAQ
Last updated
Was this helpful?