# Oauth SSO client for GLPI
![Login small pics](https://services.glpi-network.com/documentation/1731/download_file/main/docs/screenshots/login_small.png)
This plugins allows user login and import from external services.
Currently connect to:
* [Google](https://developers.google.com/identity/sign-in/web/sign-in)
* [Facebook](https://developers.facebook.com/apps/)
* [Github](https://github.com/settings/developers)
* [Amazon](https://developer.amazon.com/fr/blogs/appstore/post/Tx3NJ8243NI3ONM/announcing-login-with-amazon-an-authentication-service-to-securely-connect-with-amazon-customers)
* [Azure active Directory](https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad)
* [Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols)
* [Gitlab](https://docs.gitlab.com/ee/api/oauth2.html)
* [Keycloak](https://www.keycloak.org/docs/latest/server_admin/#_oidc_clients)
* [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm)
* [OpenIDConnect](https://openid.net/connect/)
## Setup
### Configure SSO fields
The plugin uses the external authentication feature of GLPI.
So in order to be functional, it needs some setup.
Set the fields in `Setup > Authentication > Others authentication methods` like this screenshot:
![external auth setup](https://services.glpi-network.com/documentation/1731/download_file/main/docs/screenshots/ext_auth.png)
In resume, mandatory setting:
- `Field storage of the login in the HTTP request`: must be set (no matter the value)
Optionally, if you want to import unknown users you can also set:
- Surname: `givenName`
- First name: `familyName`
- Email: `email`
- Language: `language`
Also, you need to enable this import behavior of GLPI.
See in `Setup > Authentication > Setup`, the `Automatically add users from an external authentication source` field.
**WARNING**
The field 'Remove the domain of logins like login@domain' shoud be set to 'No'.
Example for google suite, if you have an email like `username@domain` and the option set to yes, the imported user in GLPI will be name `username`.
If an external person try to connect with an email like `username@antoherdomain`, it will authenticated to GLPI like it was the first email.
### Enable a login provider
The process is pretty the same for each source:
- Register an external application on service provider management console;
- Create an item in `Setup > Dropdowns > Oauth SSO applications` using `id` and `secret` of your provider application;
- Copy callback url from the plugin configuration and fill it in the console (GLPI will be called back after login on provider);
- For some providers, you need to restrict usage of Oauth api to allowed url. The filtering may also be managed by the callback url.
## Import from oauth plugin
If you previously used the `oauth` plugin, the installation process will transform its configuration into `Oauth SSO applications` automatically.
You just have to remove the old `oauth` plugin directory from your server.
## Candidates for future providers
See:
* http://oauth2-client.thephpleague.com/providers/league/
* http://oauth2-client.thephpleague.com/providers/thirdparty/
## Screenshots
![Login page](https://services.glpi-network.com/documentation/1731/download_file/main/docs/screenshots/login.png)
![Configuration page](https://services.glpi-network.com/documentation/1731/download_file/main/docs/screenshots/config.png)
[[toc]]