Entra

Add a new SAML Application on GLPI

First of all, you need to add a SAML application on GLPI because we need to report some information on GLPI <-> Entra/Google.

  • In Setup > SAML SSO Applications, click on + Add

  • Give a name to your application

  • Click on is active

  • Click on Save

Add GLPI app
  • For Entra, in Transit tab, select :

    • Compress requests

    • Compress responses

Setup the transit

Add an app in Entra

  • Connect to your Entra portal

  • Click on Entreprise Application

  • And + New application

  • In the search bar, enter saml toolkit

  • Click on Microsoft Entra SAML Toolkit

create app entra
  • Optionnal : You can rename this app

  • Click on Create

When the application is created :

  • Go to Single sign-on

  • Click on SAML

create SAM app entra

Setup the app

  • In the 1st insert, click on Edit

  • Copy the values as follows

Report the values in entra See the values in GLPI

Setup the Service Provider

In SP certificate and SP Private Key, copy/paste your certificate in place of those already present. There are no strict requirements for these certificates, other than that they are valid X509 certificates.

setup the values

Setup the Identity Provider

  • In the third insert of Entra app, click on Download from Certificate (Base64)

Download certificate
  • Open this certificate with notepad ++ (or other tool which can read this type of certificate)

  • Copy the content of the certificate in GLPI with the tags

  • Paste the certificate in Identity provider > X509 certificate

  • Then fill in the fields as follows withe the informations in the fourth insert :

Paste certificate and setup the values setup the values

Astuce

It is advisable to use none as the REQ AUTHN CONTEXT

Security

For a production instance, you must activate the Strict option.

We advise you to activate JIT user creation. This will allow the rules you create from JIT Rules to be applied.

options for security

Avertissement

For the plugin to authenticate a user, the field must contain a valid UPN formatted as an email. This behaviour can lead to duplicate entries in GLPI when users leave Ldap. This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name (old netbui names) as the UPN in entra. As a result, the nameId field in the samlResponse will not be populated with a valid email address. The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a unique identifier is used to allow authorisation of a specific GLPI user.

Add users allowed to use SAML

SAML needs users/groups to be added so that they are authorised to use authentication.

  • Click on users and groups tab,

  • Click on + Add user/group

  • Select all the users and groups required

  • Click on Assign

add user allowed

Mapping

If you wish to add additional information to your profile, you can use Attributes & Claims. Your profile will be populated with the information entered in Entra.

  • In Single sign on, click on Edit

  • Copy the URL of the one of the other claim

Copy the URL schema
  • Click on + Add new claim

  • Select a name

  • Paste the URL you’ve just copied ine Namespace

  • Selct attribute

  • Search the value that you want in the Source attribute

  • Save your modification

  • Repeat this step for all the desired values

add claims in Entra see claims in Entra

Rules for assigning authorisations

It will be necessary to establish rules for assigning authorisations to your users (to give them a profile, for example).

To do this, go to Administration > Rules > GLPI SAML - Saml import rules or by the button JIT Rules directly in the plugin

A hard limitation in the current plugin is that the rules can only be bound to the “email” condition. We are planning to allow binding it to additional SamlClaims, currently it only allows the value communicated via the nameId property or emailaddress claim.

For example, you want your users with SAML authentication to obtain the Self-Service profile.

You would set your criteria and action as shown here:

Sources

Microsoft Entra : https://learn.microsoft.com/en-us/entra/architecture/auth-saml

Google : https://support.google.com/a/answer/6087519?hl=en

Creative Commons License