Skip to content
/ phpsaml Public
forked from derricksmith/phpsaml

GLPI Plugin - SAML integration using the Onelogin SAML Library

0 stars 24 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pfhonore/phpsaml

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

89 Commits
css
css
 
 
front
front
 
 
inc
inc
 
 
install
install
 
 
js
js
 
 
lib
lib
 
 
.gitmodules
.gitmodules
 
 
README.md
README.md
 
 
hook.php
hook.php
 
 
phpsaml.xml
phpsaml.xml
 
 
setup.php
setup.php
 
 

Repository files navigation

GLPI SAML SSO AUTHENTICATION

This is a GLPI plugin that facilitates single sign on authentication with an identity provider using the SAML 2.0 protocol. This tool leverages the Onelogin PHP library. Tested with ADFS 2.0+ and Google IDP

Why SAML?

SAML is an XML-based standard for web browser single sign-on and is defined by the OASIS Security Services Technical Committee. The standard has been around since 2002, but lately it is becoming popular due its advantages:

  • Usability - One-click access from portals or intranets, deep linking, password elimination and automatically renewing sessions make life easier for the user.
  • Security - Based on strong digital signatures for authentication and integrity, SAML is a secure single sign-on protocol that the largest and most security conscious enterprises in the world rely on.
  • Speed - SAML is fast. One browser redirect is all it takes to securely sign a user into an application.
  • IT Friendly - SAML simplifies life for IT because it centralizes authentication, provides greater visibility and makes directory integration easier.
  • Opportunity - B2B cloud vendor should support SAML to facilitate the integration of their product.

Usage

Enter settings on the Plugin Page GLPI Settings Page

  • Plugin Enforced = Force SSO login or allow visitors to login using internal GLPI authentication (useful for testing).

  • Strict = PHPSAML setting rejects unsigned or unencrypted messages and follows SAML standard strictly, read more here

  • Debug = Logs to the GLPI PHP log

  • JIT = Just in Time Provisioning adds the authenticated user to GLPI if it does not already exist

  • SP Certificate = Your webserver certificate

  • SP Certificate Key = Your webserver certificate key

  • NameID = NameID required by your IdP

Name ID requirement

You can change the NameID that is sent from PHPSAML to the IdP or leave as unspecified. Unspecified will work in most cases but some IdPs expect a specific NameID format. Sending an incorrect NameID claim will result in a SAML Response error.

Azure AD

  1. Create a new enterprise application
  2. Enable SAML Authentication
  3. Configuration
  • Entity ID = {Your GLPI web server base URL}
  • Reply URL (Assertion Consumer Service URL) = {Your GLPI web server base URL}/plugins/phpsaml/front/acs.php

For Azure AD, the following NameID configuration is correct. You could also use user.mail as the Source Attribute. Azure AD NameID

Where to find IdP settings required for GLPI?

Azure AD Configuration

About

GLPI Plugin - SAML integration using the Onelogin SAML Library

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages

  • PHP 94.9%
  • JavaScript 4.6%
  • CSS 0.5%