GLPI Network

# Oauth SSO client for GLPI

![Login small pics](https://services.glpi-network.com/documentation/1731/download_file/main/docs/screenshots/login_small.png)

This plugins allows user login and import from external services.

Currently connect to:

 * [Google](https://developers.google.com/identity/sign-in/web/sign-in)
 * [Facebook](https://developers.facebook.com/apps/)
 * [Github](https://github.com/settings/developers)
 * [Amazon](https://developer.amazon.com/fr/blogs/appstore/post/Tx3NJ8243NI3ONM/announcing-login-with-amazon-an-authentication-service-to-securely-connect-with-amazon-customers)
 * [Azure active Directory](https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad)
 * [Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols)
 * [Gitlab](https://docs.gitlab.com/ee/api/oauth2.html)
 * [Keycloak](https://www.keycloak.org/docs/latest/server_admin/#_oidc_clients)
 * [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm)
 * [OpenIDConnect](https://openid.net/connect/)

## Setup

### Configure SSO fields

The plugin uses the external authentication feature of GLPI.
So in order to be functional, it needs some setup.

Set the fields in `Setup > Authentication > Others authentication methods` like this screenshot:

![external auth setup](https://services.glpi-network.com/documentation/1731/download_file/main/docs/screenshots/ext_auth.png)

In resume, mandatory setting:

- `Field storage of the login in the HTTP request`: must be set (no matter the value)

Optionally, if you want to import unknown users you can also set:

- Surname: `givenName`
- First name: `familyName`
- Email: `email`
- Language: `language`

Also, you need to enable this import behavior of GLPI.
See in `Setup > Authentication > Setup`, the `Automatically add users from an external authentication source` field.

**WARNING**

The field 'Remove the domain of logins like login@domain' shoud be set to 'No'.
Example for google suite, if you have an email like `username@domain` and the option set to yes, the imported user in GLPI will be name `username`.
If an external person try to connect with an email like `username@antoherdomain`, it will authenticated to GLPI like it was the first email.

### Enable a login provider

The process is pretty the same for each source:
- Register an external application on service provider management console;
- Create an item in `Setup > Dropdowns > Oauth SSO applications` using `id` and `secret` of your provider application;
- Copy callback url from the plugin configuration and fill it in the console (GLPI will be called back after login on provider);
- For some providers, you need to restrict usage of Oauth api to allowed url. The filtering may also be managed by the callback url.

## Import from oauth plugin

If you previously used the `oauth` plugin, the installation process will transform its configuration into `Oauth SSO applications` automatically.
You just have to remove the old `oauth` plugin directory from your server.

## Candidates for future providers

See:

* http://oauth2-client.thephpleague.com/providers/league/
* http://oauth2-client.thephpleague.com/providers/thirdparty/

## Screenshots

![Login page](https://services.glpi-network.com/documentation/1731/download_file/main/docs/screenshots/login.png)
![Configuration page](https://services.glpi-network.com/documentation/1731/download_file/main/docs/screenshots/config.png)

[[toc]]