Google

Add a new SAML Application on GLPI

First of all, you need to add a SAML application on GLPI because we need to report some information on GLPI <-> Entra/Google.

  • In Setup > SAML SSO Applications, click on + Add

  • Give a name to your application

  • Click on is active

  • Click on Save

Add GLPI app

Add an app in Google

  • Connect to your Google portal

  • Click on Apps

  • Cick on Web and mobile apps

  • Then, click on Add app

  • And Add custom SAML app

create app Google
  • Name your application

  • Click on Continue

give a name to your app
  • Click on Save on GLPI.

Setup the Identity Provider

  • Enter the values as shown in the 2 screenshots below

IDP info Google report the values in GLPI

Astuce

Copy/paste the content of the certificate in GLPI with the tags —BEGIN CERTIFICATE— —END CERTIFICATE—

Setup the Service Provider

  • In Service provider details, report the values from GLPI to Google :

Service provider info GLPI Report the values form GLPI
  • From Google, select EMAIL in Name ID format

  • In Name ID, select Basic information > Primary email

  • From GLPI, select Email Address in NAMEID FORMAT

In SP certificate and SP Private Key, copy/paste your certificate in place of those already present. There are no strict requirements for these certificates, other than that they are valid X509 certificates.

setup the values
  • Click on Continue

  • Then Finish

Your app is now created

Your app is now created

Security

For a production instance, in GLPI, you must activate the Strict option in setup plugin SAML.

We advise you to activate JIT user creation. This will allow the rules you create from JIT Rules to be applied.

options for security

Avertissement

For the plugin to authenticate a user, the field must contain a valid UPN formatted as an email. This behaviour can lead to duplicate entries in GLPI when users leave Ldap. This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name (old netbui names) as the UPN in entra. As a result, the nameId field in the samlResponse will not be populated with a valid email address. The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a unique identifier is used to allow authorisation of a specific GLPI user.

Add users allowed to use SAML

SAML needs users/groups to be added so that they are authorised to use authentication.

  • On your appl, click on Viex details tab in User access

  • Click on On for everyone

  • Click on Save

Allow users to use app

Mapping

If you wish to add additional information to your profile, you can use Attributes. Your profile will be populated with the information entered in Entra.

  • In you app, click on Configure SAML attribute mapping in SAML attribute mapping

  • Copy the URL of the one of the other claim

  • Add informations that you want

  • Click on Save

add attributes for Google Allow users to use app

Rules for assigning authorisations

It will be necessary to establish rules for assigning authorisations to your users (to give them a profile, for example).

To do this, go to Administration > Rules > GLPI SAML - Saml import rules or by the button JIT Rules directly in the plugin

A hard limitation in the current plugin is that the rules can only be bound to the “email” condition. We are planning to allow binding it to additional SamlClaims, currently it only allows the value communicated via the nameId property or emailaddress claim.

For example, you want your users with SAML authentication to obtain the Self-Service profile.

You would set your criteria and action as shown here:

Sources

Microsoft Entra : https://learn.microsoft.com/en-us/entra/architecture/auth-saml

Google : https://support.google.com/a/answer/6087519?hl=en

Creative Commons License