Category: GLPI Network

Subject

Setup oauth (SSO) authentication

Content

605fca3f-71844724-5f7f055f218a35.08711458

In this article, we will see how to to setup oauth (SSO) authentication to allows automatic authentication and import users from external services.

Currently connects via:

Plugin Oauthsso Installation

 

This plugin is available on the Marketplace in your GLPI Network Ckoud Instance.

  • Go in Setup > Plugins ( > Marketplace if display is not by default )
  • Install Oauthsso

ace196eb-71844724-60057b3847ea62.80349115

Plugin configuration

 

This plugin uses the External authentications feature of GLPI. To be functionnal, it needs to be configured.

  • Go in Setup > Authentication > Others authentication methods
  • In Other authentication sent in the HTTP request section
  • Field storage of the login in the HTTP request should be defined, HTTP_AUTH_USER most of the time
  • Remove the domain of logins like login@domain should be set to No

Users who want authenticate will not be known by GLPI, so it's could be interesting to setup some fields to create them with a little bit of information.

For example:

  • Surname : givenName
  • First Name: familyName
  • Email : email
  • language : language

ace196eb-71844724-60058112864998.07212648

WARNING

The field "Remove the domain of logins like login@domain" must be set to "No" to avoid illegitimate authentications !

Example:

For Google suite, if you have an email like username@domain and the option set to Yes, the imported user in GLPI will have name username.


If an external person try to connect with email like username@anotherdomain, it will authenticated in GLPI like it would be the first email.

 

  • Save your setup

 

Now, you need to enable Automatically add users from an external authentication source

  • Go in Setup > Authentication > Setup
  • Set Automatically add users from an external authentication source to Yes

ace196eb-71844724-600581f7c52189.57761323

 

Oauth SSO authentication configuration

 

Now, the plugin is ready to use.

 

  • Go in Setup > oauth SSO applications
  • By clicking on ace196eb-71844724-5ffda09d20a5f2.52686726, you will add a new Oauth SSO application
  • Choose your provider

The fields to be completed may change depending the provider !

  • Go to the top of this article for documentation from the different provider

ace196eb-71844724-600584261d1460.51834931

 

 

When the provider is enabled, you will see the new GLPI login page !

 

 

605fca3f-71844724-5f7f0792b60d08.21408025

 

Authorizations assignment rules

 

Most of the time, you will need to establish some rules to manage users after authentication, especially Authorizations assignment rules.

To create rules for users, you will need to go in Administration > Rules > Authorizations assignment rules menu.

There is no mandatory rules, you could create all rules you want to meets your need.

 

 

For example: I need to assign Self-Service Profile on my users.

Remember that we enabled an option above to avoid illegitimate authentication ! This parameter, in practice, will keep the domain in the User ID field. The users will therefore be registered in GLPI like this: login@mydomain.

This can therefore become a criteria of my rule because @mydomain is a common denominator of all my users.

ace196eb-71844724-600aa9664c7d54.08127040

 

Now, i can establish an action formy rule. Here, i want to assign Self-Service profile.

 

ace196eb-71844724-600aa9cd2c34b2.36433056

 

 

 

 

Google specificity

This provider requires to enable Google+ API before providing any user details (like given name or emails)

See https://console.developers.google.com/apis/api/plus.googleapis.com/overview.

Google oauth service also supports multiple emails in their response.
Like above, you can also fill additional fields in Setup > Authentication > Others authentication methods:

  • Email 2: email2
  • Email 3: email3
  • Email 4: email4

 

Candidates for future providers

See:

 

Writer: TECLIB
Created on 2020-02-18 15:58
Last update on 2021-04-08 11:09
2572 views
This item is part of the FAQ