Category: GLPI Network


Setup oauth (SSO) authentication



In this article, we will see how to to setup oauth (SSO) authentication to allows automatic authentication and import users from external services.

Currently connects via:

Plugin Oauthsso Installation


This plugin is available on the Marketplace in your GLPI Network Ckoud Instance.

  • Go in Setup > Plugins ( > Marketplace if display is not by default )
  • Install Oauthsso


Plugin configuration


This plugin uses the External authentications feature of GLPI. To be functionnal, it needs to be configured.

  • Go in Setup > Authentication > Others authentication methods
  • In Other authentication sent in the HTTP request section
  • Field storage of the login in the HTTP request should be defined, HTTP_AUTH_USER most of the time
  • Remove the domain of logins like login@domain should be set to No

Users who want authenticate will not be known by GLPI, so it's could be interesting to setup some fields to create them with a little bit of information.

For example:

  • Surname : givenName
  • First Name: familyName
  • Email : email
  • language : language



The field "Remove the domain of logins like login@domain" must be set to "No" to avoid illegitimate authentications !


For Google suite, if you have an email like username@domain and the option set to Yes, the imported user in GLPI will have name username.

If an external person try to connect with email like username@anotherdomain, it will authenticated in GLPI like it would be the first email.


  • Save your setup


Now, you need to enable Automatically add users from an external authentication source

  • Go in Setup > Authentication > Setup
  • Set Automatically add users from an external authentication source to Yes



Oauth SSO authentication configuration


Now, the plugin is ready to use.


  • Go in Setup > oauth SSO applications
  • By clicking on ace196eb-71844724-5ffda09d20a5f2.52686726, you will add a new Oauth SSO application
  • Choose your provider

The fields to be completed may change depending the provider !

  • Go to the top of this article for documentation from the different provider




When the provider is enabled, you will see the new GLPI login page !





Authorizations assignment rules


Most of the time, you will need to establish some rules to manage users after authentication, especially Authorizations assignment rules.

To create rules for users, you will need to go in Administration > Rules > Authorizations assignment rules menu.

There is no mandatory rules, you could create all rules you want to meets your need.



For example: I need to assign Self-Service Profile on my users.

Remember that we enabled an option above to avoid illegitimate authentication ! This parameter, in practice, will keep the domain in the User ID field. The users will therefore be registered in GLPI like this: login@mydomain.

This can therefore become a criteria of my rule because @mydomain is a common denominator of all my users.



Now, i can establish an action formy rule. Here, i want to assign Self-Service profile.







Google specificity

This provider requires to enable Google+ API before providing any user details (like given name or emails)


Google oauth service also supports multiple emails in their response.
Like above, you can also fill additional fields in Setup > Authentication > Others authentication methods:

  • Email 2: email2
  • Email 3: email3
  • Email 4: email4


Candidates for future providers



Writer: TECLIB
Created on 2020-02-18 15:58
Last update on 2021-04-08 11:09
This item is part of the FAQ