Authentication and SSO#
How do I setup Oauth SSO with Entra?#
To use SSO with Entra from GLPI, you can follow this procedure Access to the Microsoft 365 Tenant is required. You will also need to download the Oauth SSO plugin available on the marketplace.
How do I setup Oauth SSO with OKTA?#
To use SSO with OKTA from GLPI, you can follow this procedure You will need admin access to OKTA. You will also need to download the Oauth SSO plugin available on the marketplace.
How do I configure OAuth SSO with Google?#
To use SSO with Google from GLPI, you can follow this procedure You will need admin access to your Google Tenant. You will also need to download the OAuth SSO plugin available on the marketplace
How do I setup Oauth SSO with Keycloak?#
To use SSO with Keycloak from GLPI, you can follow this procedure You will need admin access to Keycloak. You will also need to download the Oauth SSO plugin available on the marketplace.
Why doesn't Oauth SSO work/no longer?#
There are several possible reasons for this problem:
- the secret has expired,
- the password for the account obtaining SSO authorization has expired,
- you have requested a URL change and the provider-side application has not been modified.
To check what's causing the problem, you can activate the debug mode, which will point you in the right direction. You can follow this procedure to help with Setup
Can I merge my AD and SSO users?#
Yes, under certain conditions.
It is possible in
administration
>
authentication
>
Other authentication methods
to set the option remove the domain of logins like login@domain
to Yes
. This action carries a risk depending on how your SSO application is set up on the provider side.
Danger
If you allow SSO access to external tenants, it is possible that identity theft could occur. For example, I log on with john.doe@mondomaine.com. Generally speaking, you can't have 2 identicals logins on the same tenant. If you have a homonym in the company, the logins will be different. On the other hand, if a namesake from outside the tenant, such as john.doe@gmail.com, logs in, he or she will be able to impersonate you. This option should therefore be limited to SSO applications that use a single tenant.
Which providers can I use with SSO?#
Here is the list of providers currently available:
Can I display SSO authentication only on the home page?#
Yes. From your SSO application, click on setup
at the top of the screen. Then click on hide standard login form
.
It will still be possible to connect with an internal account by clicking on standard login
.
Why do I get a message telling me my password is empty?#
This can happen when you use V2 of the Oauth SSO plugin. Setting up claims
and API permissions
is necessary for the plugin to work properly.
You can follow this article to set up your application.
Why do I get an error message telling me that I don't have access rights to the application?#
This happens when the authorisation rules have not been set up. In fact, once authentication has been successfully completed, GLPI checks that you have an assigned authorisation. GLPI also checks that a rule has been set up to assign you one automatically. If this is not the case, access to GLPI will be denied. To set up these authorisation rules, please refer to this article to help you configure them.
Why are some user record fields overwritten after authentication with OAuth SSO?#
This can happen if your OAuth SSO authentication source is also the provisioning source. If the option Fetch information from user profile
(available from
Setup
>
Oauth SSO applications
) is set to No
, Oauth SSO will not retrieve information from user records. If you wish to retrieve user information, change this option to Yes
and make sure that the fields in
Setup
>
Authentifcation
> Other authentication methods
and the claims of your OAuth SSO application are filled in (more information here).
If, on the other hand, you have an external provisioning source such as SCIM, and the Fetch information from user profile
option is set to Yes
, OAuth SSO will overwrite the current information and replace it with the information entered in
Setup
>
Authentication
> Other authentication methods
. We therefore recommend that you set this option to No
if you have an external provider (more information here).
Does SSO enable provisioning?#
No, SSO is only a means of connection and does not provision users upstream. To do this, you need to use the [SCIM] plugin (../04_Plugins/SCIM.md).