Google¶
Add a new SAML Application on GLPI¶
First of all, you need to add a SAML application on GLPI because we need to report some information on GLPI <-> Entra/Google.
In Setup > SAML SSO Applications, click on + Add
Give a name to your application
Click on is active
Click on Save
Add an app in Google¶
Connect to your Google portal
Click on Apps
Cick on Web and mobile apps
Then, click on Add app
And Add custom SAML app
Name your application
Click on Continue
Click on Save on GLPI.
Setup the Identity Provider¶
Enter the values as shown in the 2 screenshots below
Astuce
Copy/paste the content of the certificate in GLPI with the tags —BEGIN CERTIFICATE— —END CERTIFICATE—
Setup the Service Provider¶
In Service provider details, report the values from GLPI to Google :
From Google, select EMAIL in Name ID format
In Name ID, select Basic information > Primary email
From GLPI, select Email Address in NAMEID FORMAT
In SP certificate and SP Private Key, copy/paste your certificate in place of those already present. There are no strict requirements for these certificates, other than that they are valid X509 certificates.
Click on Continue
Then Finish
Your app is now created
Security¶
For a production instance, in GLPI, you must activate the Strict option in setup plugin SAML.
We advise you to activate JIT user creation. This will allow the rules you create from JIT Rules to be applied.
Avertissement
For the plugin to authenticate a user, the field must contain a valid UPN formatted as an email. This behaviour can lead to duplicate entries in GLPI when users leave Ldap. This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name (old netbui names) as the UPN in entra. As a result, the nameId field in the samlResponse will not be populated with a valid email address. The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a unique identifier is used to allow authorisation of a specific GLPI user.
Add users allowed to use SAML¶
SAML needs users/groups to be added so that they are authorised to use authentication.
On your appl, click on Viex details tab in User access
Click on On for everyone
Click on Save
Mapping¶
If you wish to add additional information to your profile, you can use Attributes. Your profile will be populated with the information entered in Entra.
In you app, click on Configure SAML attribute mapping in SAML attribute mapping
Copy the URL of the one of the other claim
Add informations that you want
Click on Save
Sources¶
Microsoft Entra : https://learn.microsoft.com/en-us/entra/architecture/auth-saml