Entra¶
Add a new SAML Application on GLPI¶
First of all, you need to add a SAML application on GLPI because we need to report some information on GLPI <-> Entra/Google.
In Setup > SAML SSO Applications, click on + Add
Give a name to your application
Click on is active
Click on Save
For Entra, in Transit tab, select :
Compress requests
Compress responses
Add an app in Entra¶
Connect to your Entra portal
Click on Entreprise Application
And + New application
In the search bar, enter saml toolkit
Click on Microsoft Entra SAML Toolkit
Optionnal : You can rename this app
Click on Create
When the application is created :
Go to Single sign-on
Click on SAML
Setup the app¶
In the 1st insert, click on Edit
Copy the values as follows
Setup the Service Provider¶
In SP certificate and SP Private Key, copy/paste your certificate in place of those already present. There are no strict requirements for these certificates, other than that they are valid X509 certificates.
Setup the Identity Provider¶
In the third insert of Entra app, click on Download from Certificate (Base64)
Open this certificate with notepad ++ (or other tool which can read this type of certificate)
Copy the content of the certificate in GLPI with the tags
Paste the certificate in Identity provider > X509 certificate
Then fill in the fields as follows withe the informations in the fourth insert :
Astuce
It is advisable to use none as the REQ AUTHN CONTEXT
Security¶
For a production instance, you must activate the Strict option.
We advise you to activate JIT user creation. This will allow the rules you create from JIT Rules to be applied.
Avertissement
For the plugin to authenticate a user, the field must contain a valid UPN formatted as an email. This behaviour can lead to duplicate entries in GLPI when users leave Ldap. This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name (old netbui names) as the UPN in entra. As a result, the nameId field in the samlResponse will not be populated with a valid email address. The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a unique identifier is used to allow authorisation of a specific GLPI user.
Add users allowed to use SAML¶
SAML needs users/groups to be added so that they are authorised to use authentication.
Click on users and groups tab,
Click on + Add user/group
Select all the users and groups required
Click on Assign
Mapping¶
If you wish to add additional information to your profile, you can use Attributes & Claims. Your profile will be populated with the information entered in Entra.
In Single sign on, click on Edit
Copy the URL of the one of the other claim
Click on + Add new claim
Select a name
Paste the URL you’ve just copied ine Namespace
Selct attribute
Search the value that you want in the Source attribute
Save your modification
Repeat this step for all the desired values
Sources¶
Microsoft Entra : https://learn.microsoft.com/en-us/entra/architecture/auth-saml