Feature Request: SAML based authentication

[ygini]

Feature Request

Directory Service is dead, long live Directory Service!

Last RFC for LDAP was published in 1997. Few things has changed since this time… No one is stuck in an office nowadays, every single company want to be mobile.

Dolibarr is a web based application, this is a good start for the current world. However, user managed is local (no one will ever use a per app user database in SMB) or LDAP based (and no one use LDAP based app for modern IT infrastructure).

LDAP has been supplanted by SAML in 2017. It was a trend for a while but now it's the common standard.

Dolibarr need to review the user management and start support SAML.

SAML is based on third part identity provider and you can find a lot of them. Office 365 and Azure AD can be one, but also OneLogin, JumpCloud, VMware Identity Manager, Centrify, Google, etc.

Use case

IT (and more over end customer) want to use SAML to allow a centralized identity management without any kind of security issue linked to third part provided accessing a clear text password. Like LDAP in the past, this will save time regarding user management, will improve security by allowing central user creation and deactivation, and will also offer improved security layers for free.

Third part developer like Dolibarr just have to implement the SAML system once to support all provider (no need of distinction between AD, OpenLDAP, eDirectory, etc.) and all kind of security level.

For example, the SAML Identity Provider can decide to enforce 2 factor authentication depending of the current device accessing Dolibarr, without anything additional code on Dolibarr side.

If you need sample directory, take a look at JumpCloud free account.

[delcroip]

Is some working on it ? I can do an investigation but to be more efficient (avoid code retro engineering) I'd like to have the approach used by LDAP (how the user are created, updated .... ), is it available somewhere ?

Br

[delcroip]

It seems that there is some SAML-php library already developed, few example: https://simplesamlphp.org https://github.com/onelogin/php-saml

br

[delcroip]

I started with php-saml because it is a lot simpler to handle then simpleSAML :https://github.com/delcroip/dolibarr/tree/SAML Actually it seems not dificulte to integrate but the config will be tough and I am no sure it will be accessible to Dolibarr users. There is also the question of user provisioning, should I expect to have match between one of the SAML attribute and the userID or should I create the user based on the SAML attibutes (meaning that we best have the user group also in the SAML attributes to be able to assign some right after his first login or all users will have to start with default rights that could be change later on in Dolibarr)

[ygini]

@delcroip Don't worry about the SAML config, it will be easily done by people used to SAML. It's not for end user or IT wannabe. It's a feature usable by companies focused on IT security.

For information, if you've Office 365 for business or Google Suite, you've a SAML service built-in.

SAML setup is just a matter of:

• URL settings on both side (where to authenticate, where to redirect)
• certificate exchange
• agreement on claims to provide all user's info at login time

SAML is made for on-flight provisioning.

If you also want to implement modern pre-flight provisioning, you must use SCIM, not SAML.

But SCIM is less used, just-in-time account creation seems to be more interesting when using cloud service.

[fullmetalucard]

Hi there,

I would like to know If you have gone further with SAML2 integration in Dolibarr? I'm very interested in. Lots of web based application have it nowadays.

[delcroip]

I didn't work a lot on it because the auth part of dolibarr need to be reworked (there is no clear segregation of the code between the different methods) and it will be difficult to do the regression test.

[ibneazeez]

Dear All, Any update on this? this feature is required for bigger organizations if they want to adopt this beautiful software.

[kinanakel]

Dear All, Any update on this? this feature is required for bigger organizations if they want to adopt this beautiful software.

Even for mid and small organizations who are using cloud service providers for authentication

[Mavyre]

I'm digging out this Feature Request.

Had anyone a look at https://dev.epitanime.com/technique/dolibarr-saml/ ? Seems to be promising. @eldy maybe should be possible to take a look at it and integrate it to a future version?

[Mavyre]

Still wanted.

[ygini]

Still needed indeed. And one of the main reason why I've stopped using Dolibarr

[kinanakel]

It is still needed. SAML and OAuth2 are the most common authentication methods. There must be a way to utilize both of them in order to allow more organizations onboarding.

[battosai30]

+1

[cfoellmann]

lets give it a thumbs up on the first post

[bontiv]

I'm digging out this Feature Request.

Had anyone a look at https://dev.epitanime.com/technique/dolibarr-saml/ ? Seems to be promising. @eldy maybe should be possible to take a look at it and integrate it to a future version?

Hi,

I'm the author of SAML2 from Epitanime. It work in production since many years. Maybe I can finish it. I didn't do a PR before they are a lot of hard coded variables. You can't change SAML settings from admin portal.

For Epitanime association, the production is in version 12.0.1 and SAML was tested with SimpleSAMLphp and Okta. It may also work with Office365 and others SAML2 providers.

I didn't know SAML2 was important for other users. When I finished this module, it will be free and open source on dolistore.

Best regards, Bontiv

[battosai30]

I didn't know SAML2 was important for other users. When I finished this module, it will be free and open source on dolistore.

I have to install an LDAP in all my client systems only because of Dolibarr (Keycloak allow a sync between its database and an LDAP server) so yes, SAML (and OAuth) are big needs for me xD

Thanks for your work anyway :)

[cfoellmann]

@battosai30 can keycloak connect to azureAD? I am looking at using something in parallel to azureAD to not pay for a big part of our userbase.

[battosai30]

Apparently yes :
https://www.alphabold.com/azure-ad-configuration/ https://www.grebintegration.dk/2021/03/07/microsoft-azure-active-directory-as-keycloak-identity-provider/ https://www.youtube.com/watch?v=LYF-NLHD2uQ

[cfoellmann]

@bontiv please send a PR as draft as soon as possible! I really want to test against Microsoft azureAD.

We can start without UI and go from there

[cfoellmann]

@bontiv I just realized that you have a module. I will try and test that one as soon as possible

[cfoellmann]

@bontiv I tried to register on your gitlab instance but can not get the login to work. Would love to help get the module ready for "normal" usage

[bontiv]

I've move the source code into Github : Dolibarr SAML Be careful. Do not use it in production. You can break your Dolibarr authentication and I didn't test with last Dolibarr version.

Module IDs are also in common range of > 500000. It may re-use ID of another experimental module.

[Mavyre]

I'll try it out in the following few months. Thanks a lot for sharing it!

[cfoellmann]

@bontiv do you run the SAML auth on a current dolibarr? I am testing on 15.x and it seems that the saml exchange with our IdP is working but I get an infinite loop. As far as I can see: When the user is redirected back to dolibarr the user is "seen" as not-logged-in and a new auth request is sent to the IdP. Resulting in a loop

Any ideas?

[bontiv]

Hi, I'm not working on SAML anymore. I think this protocol is too old and take too many time to authenticate users. I'm working on more general OpenID Connect solution.

OpenID Connect is compliant with AzureAD, Okta, Auth0, Facebook, Twitter, Google and on premise solutions like ADFS, lemonldap, keycloak, etc..

I use AzureAD in my company. I'm also trying to get Dolibarr REST API working with Azure oAuth 2 tokens.

Best regards,

[cfoellmann]

SAML is still going strong in corporate networks but I am with you that OpenID is a lot "better".

What is your planning and progress with openid? I might be able to pitch in. Maybe the already existing module in dolibarr could be extended to allow for custom IdPs. We are using authentik which is very similar to keycloak

[ygini]

My two cents on this: OpenID Connect is way more suited when we talk about federations for public services such as Twitter authenticated with Google.

SAML is the protocol more suited for Enterprise use. Especially in term of privilege management, context of use, on demand re-auth, etc.

I don’t use Dolibarr anymore and don’t think I will in a short futur.

But SAML is the way to go for an ERP. Not OIDC.

And SAML is compatible with any market provider.

Yoann

Le 4 août 2022 à 09:53, Remi BONNET @.***> a écrit :

 Hi, I'm not working on SAML anymore. I think this protocol is too old and take too many time to authenticate users. I'm working on more general OpenID Connect solution.

OpenID Connect is compliant with AzureAD, Okta, Auth0, Facebook, Twitter, Google and on premise solutions like ADFS, lemonldap, keycloak, etc..

I use AzureAD in my company. I'm also trying to get Dolibarr REST API working with Azure oAuth 2 tokens.

Best regards,

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

[cfoellmann]

I will go for the SAML approach now.

We run authentik and it's a beast. I hope I can deploy sso for dolibarr this month

[atm-maxime]

Hi. We are starting the creation of a saml module which will be very configurable and work with ADFS and Okta. We'll inform you here about the module when it's ready.

[github-actions[bot]]

This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. This issue may be closed automatically by stale bot in 10 days (you should still be able to re-open it if required).