Configurations - v1.2.1 on GLPI 10.0.7

[Nouchca]

Hi, I'm a junior in an infrastructure team, I'm in charge of implementing the GLPI ticketing tool, and the team want to use SAML. I make some configuration but I'm having trouble understanding the explanations. To be sure of my configs, I list to you all actions performed during installation and configuration. Below, you will find my questions.

Config : Plugin : phpsaml 1.2.1 (latest) GLPI: 10.0.7 - cloud by infomaniak (https://www.infomaniak.com/fr/creer-un-site/cms/hebergement-glpi/) Environnement : Lab Azure Premium P1 (two users with licence Microsoft 365 Business Premium)

Plugin Installation :

• Website console (SSH)

    u@h:~ /A$ cd B/plugins/
    u@h:~ /A/B/plugins$ wget https://github.com/derricksmith/phpsaml/archive/refs/tags/1.2.1.zip
    u@h:~ /A/B/plugins$ unzip 1.2.1.zip
    u@h:~ /A/B/plugins$ mv phpsaml-1.2.1 phpsaml
    u@h:~ /A/B/plugins$ rm 1.2.1.zip 

• GLPI Interface

Azure configuration :

A dedicated group has been created and added below. (Users are in the group)

GLPI Configuration : (Click for larger view)

Test :

- Azur interface:

Connexion with the user account

• A new tab opens, showing the login page

When the user clicks on [Sign in with SSO]: the login page is displayed, then back to the GLPI login page. (the connection fails)

- Web logs:

If I go to the address {Your GLPI web server base URL}/plugins/phpsaml/front/acs.php

Questions : Q.1: How can I fix this POST problem ?

Q.2: Do I need to configure the authentication page?

Q.3: Do I need to do anything to import users? Or is it done dynamically?

Q.4: Are there any other configurations to make? Or something I've done wrong?

Thank you in advance for your help,

[DonutsNL]

Hi @Nouchca,

Sorry i didnt get to your question earlier. I am not sure what version you are currently using. For GLPI 10.0.X Please use the latest version found here: https://github.com/DonutsNL/phpsaml. This version will also dump the posted Saml when you enable the debug option for you to review. It also includes additional checks and validations.

@derricksmith has not yet merged allot of changes and fixed that where implemented in the version linked above. I think he has been to busy.

Q3: If you enable JIT it should create GLPI users on the fly. You still have to assign these users the correct rights.

Q4 as far as i can see the configuration is correct. The new version will provide additional feedback to make sure. For instance it will check if the provided certificate is correct.

[DonutsNL]

The userprincipal name might not work correctly with guests if this field is formated as email_email#EXT#@on.microsoft.com. This is detected by the new version as well. In this case use the user.email claim for name and userID instead.

[Nouchca]

Hi, Thank you for your reply. I'm currently using version 1.2.1 (Latest). Should I use version 1.3.0?

[DonutsNL]

The version in my repo is 1.2.2. If that is what you mean with 1.3.0 then yes. Use my branch for the latest glpi version till its merged by @derricksmith.