Multiple IDP support

Each configured identity provider is shown with its own button on the default GLPI loginpage. This allows GLPISAML to support 'multiple' Identity providers to be configured. This feature allows you to provide SSO access for multiple customers using multiple identity sources. Be aware that Azure Entra Guest access via trusted tenants is currently not supported and will trigger an errormessage.

Adding a new IDP

First you need to have the Setup => setup::read and Setup => setup::update permissions assigned to your active profile. Sadly GLPI does currently not provide an easy way to add tailored permissions. As a work arround 'create, delete and purgepermissions are currently linked to thesetup::update` permission.

If the plugin is installed and activated succesfully the Plugins => SAML ID Providers menu button should become available. Navigate to the SAML ID Providers menu and click the Add [ + ] button.

Pressing the Add [ + ] button will create a new prepopulated configuration. This prepopulated config uses the PLUGIN_ROOT/src/Config/ConfigDefaultTpl.php to prepupulate the config. The default prefilled configuration passes all sanity checks, but its details and certificates should not be used in production environments.

SAML settings

Most of the configuration settings are default to the ONELOGIN PHPSAML toolkit. More information about these configuration options can be found in the ONELOGIN SAML Toolkit repository. The repository can be found here: https://github.com/SAML-Toolkits/php-saml. If you want this information without visiting the One Login repository, then simply enable the debug toggle and save the config. This will provide the same contextual information about the various configuration options in the configuration screen. Be sure to disable the debug option if you finished.

Login icon

The login icon configuration contains one of the free font awsome icons. GLPI by default ships with the free font-awsome kit. You can review the icon's here: https://fontawesome.com/search?m=free&o=r. Use the class=CLASS to point to the icon you want. This icon is shown in the login button on the login screen. For example using: fa-solid fa-face-smile for the second button.

Is active

Using the default templates any new configuration is set disabled by default and will not show up on the login page. This allows you to populate the configuration with the correct details before making it available for usage. If there is an issue you can always disable a Idp using the config. Disabling the config will remove the button from the login page.

Default service provider certificates

Do not use the provided 'withlove.from.donuts.nl' certificates in any production environment. If you dont have any certificates, then use the provided https://github.com/DonutsNL/glpisaml/blob/main/tests/generateCert.sh to generate new ones. Make sure to remove the generated files from your environment afterwards. You might need to import the public certificate into you IDP manually as well, because we dont yet provide a meta service.

Assertion Consumer Service URL

The IDP needs an assertion service link where the SamlResponse body wil be posted. The default acs link is: GLPI_ROOT/marketplace/glpisaml/front/acs.php.

IDP Logoff URL

The logoff functionality it not yet implemented. If an URL is required, use the GLPI base url as a placeholder.

IDP Meta service provider

The meta service provider URL currently is not yet implemented and available. We might add meta support in the future. Currently you need to provide the certificate and meta information to your IDP manually.

Proxy settings

If your GLPI instance is behind a proxy you need to toggle the 'Proxied' configuration option. This will instruct the PHPSAML toolkit to look for X_FORWARDED headers to validate the SamlResponse source. Be aware that this does not update the HTML schema (https -> http -> https). If the internal schema from your proxy to glpi is http while the external urls schema is https, this will cause validation errors if the strict configuration option is enabled. The best solution for this issue is to enable the https schema internally as well (this is always the best practice). We do not recommend disabling the strict property in production environments. For additional information about the proxy and strict settings see the PHPSAML documentation found here: https://github.com/SAML-Toolkits/php-saml

Enforced (not yet implemented)

The enforced option is a placeholder and not yet implemented. This feature is still in consideration. If implemented in the future, the enforce option will force the plugin to replace the default login page with a page that only allows SSO login, basically disabling the default GLPI (local) login and preventing bruteforce login attempts. In Derricks implementation we where considering a 'configurable' bypass key that would allow for administrative access using the default GLPI login where the key could not be guessed by an attacker still preventing brute force login attacks.

Userdomain (not yet implemented)

The userdomain option is a placeholder. This configuration option will be used in the future to 'capture' the user domain from the default username login prompt. If the domain matches the IDP the plugin will trigger the SAML login. This acts as a replacement for the loginbuttons. The issue with login buttons is that they by design share information about the linked IDPs or serviced customers. Information that you might want to keep 'secret' for the broader public. If implemented, configuring this property should 'hide' the default login button. Login is then a matter of providing a username with the configured domain. i.e. username: username@idp_enabled_domain.tld. With the enforced option enabled, the replacement loginscreen will only show a 'username' field.