# Authentication and SSO *** ### How do I setup Oauth SSO with Apple? To use SSO with Apple from GLPI, you can follow this [procedure](https://app.gitbook.com/s/uUCcURk2xlvtpVGbiRZf/plugin-glpi-network/oauthsso). An access to the Apple developer console is required. You will also need to download the Oauth SSO plugin available on the marketplace. *** ### How do I setup Oauth SSO with Entra? To use SSO with Entra from GLPI, you can follow this [procedure](https://app.gitbook.com/s/uUCcURk2xlvtpVGbiRZf/plugin-glpi-network/oauthsso#entra). An access to the Microsoft 365 Tenant is required. You will also need to download the Oauth SSO plugin available on the marketplace. *** ### How do I setup Oauth SSO with OKTA? To use SSO with OKTA from GLPI, you can follow this [procedure ](https://app.gitbook.com/s/uUCcURk2xlvtpVGbiRZf/plugin-glpi-network/oauthsso#okta). You will need admin access to OKTA. You will also need to download the Oauth SSO plugin available on the marketplace. *** ### How do I configure OAuth SSO with Google? To use SSO with Google from GLPI, you can follow this [procedure ](https://app.gitbook.com/s/uUCcURk2xlvtpVGbiRZf/plugin-glpi-network/oauthsso#google)You will need admin access to your Google Tenant. You will also need to download the OAuth SSO plugin available on the marketplace *** ### How do I setup Oauth SSO with Keycloak? To use SSO with Keycloak from GLPI, you can follow this [procedure ](https://app.gitbook.com/s/uUCcURk2xlvtpVGbiRZf/plugin-glpi-network/oauthsso#keycloak)You will need admin access to Keycloak. You will also need to download the Oauth SSO plugin available on the marketplace. *** ### Why doesn't Oauth SSO work/no longer? There are several possible reasons for this problem: * the secret has expired, * the password for the account obtaining SSO authorization has expired, * you have requested a URL change and the provider-side application has not been modified. To check what's causing the problem, you can activate the debug mode, which will point you in the right direction. You can follow this [procedure](https://app.gitbook.com/s/sGALtnzA2IROeldmXKt5/authentication/activate_sso) to help with Setup *** ### Can I merge my AD and SSO users? Yes, under certain conditions. It is possible in **`administration`** > **`authentication`** > **`Other authentication methods`** to set the option **`remove the domain of logins like login@domain`** to **`Yes`**. This action carries a risk depending on how your SSO application is set up on the provider side. !!! Danger **If you allow SSO access to external tenants**, it is possible that identity theft could occur. For example, I log on with . Generally speaking, you can't have 2 identicals logins on the same tenant. If you have a homonym in the company, the logins will be different. On the other hand, if a namesake from outside the tenant, such as , logs in, he or she will be able to impersonate you. This option should therefore be limited to SSO applications that use a single tenant. *** ### Which providers can I use with SSO? Here is the list of providers currently available: * Alt text **Amazon**, * Alt text **Microsoft Entra**, * Alt text **Facebook**, * Alt text **Github**, * Alt text **Gitlab**, * ![Alt text](https://3250947132-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSvoJ3lioglS2UZLcWWyP%2Fuploads%2FVFMMUWihUGZ3TF2oaeHp%2FGoogle.svg?alt=media\&token=6a553f27-8796-48c0-84e6-b27f90acf790) **Google**, * Alt text **Keycloak**, * Alt text **OKTA** * **Apple** * **OpenID connect** *** ### Can I display SSO authentication only on the home page? Yes. From your SSO application, click on **`setup`** at the top of the screen. Then click on **`hide standard login form`**. It will still be possible to connect with an internal account by clicking on **`standard login`**. *** ### Why do I get a message telling me my password is empty? This can happen when you use V2 of the Oauth SSO plugin. Setting up **`claims`** and **`API permissions`** is necessary for the plugin to work properly. You can follow this [article](https://glpi-plugins.readthedocs.io/en/latest/oauthsso/entra.html#claims) to set up your application. *** ### Why do I get an error message telling me that I don't have access rights to the application? This happens when the authorisation rules have not been set up. In fact, once authentication has been successfully completed, GLPI checks that you have an assigned authorisation. GLPI also checks that a rule has been set up to assign you one automatically. If this is not the case, access to GLPI will be denied. To set up these authorisation rules, please refer to this [article](https://glpi-plugins.readthedocs.io/en/latest/oauthsso/index.html) to help you configure them. *** ### Why are some user record fields overwritten after authentication with OAuth SSO? This can happen if your OAuth SSO authentication source is also the provisioning source. If the option **`Fetch information from user profile`** (available from **`Setup`** > **`Oauth SSO applications`**) is set to **`No`**, Oauth SSO will not retrieve information from user records. If you wish to retrieve user information, change this option to **`Yes`** and make sure that the fields in **`Setup`** > **`Authentifcation`** > **`Other authentication methods`** and the claims of your OAuth SSO application are filled in (more information [here](https://glpi-plugins.readthedocs.io/en/latest/oauthsso/index.html)). If, on the other hand, you have an external provisioning source such as SCIM, and the **`Fetch information from user profile`** option is set to **`Yes`**, OAuth SSO will overwrite the current information and replace it with the information entered in **`Setup`** > **`Authentication`** > **`Other authentication methods`**. We therefore recommend that you set this option to **`No`** if you have an external provider (more information [here](https://glpi-plugins.readthedocs.io/en/latest/oauthsso/index.html)). *** ### Does SSO enable provisioning? No, SSO is only a means of connection and does not provision users upstream. To do this, you need to use the [SCIM plugin](https://app.gitbook.com/s/uUCcURk2xlvtpVGbiRZf/plugin-glpi-network/scim) *** ### How do I apply rules to an SSO connection? To apply rules to an SSO connection, you need to choose one of the following criteria: * **`Authentication type is External Authentications`** or * **`Email contains @mydomain.com`**