Error on user created by JIT

[SilvaFernando]

I'm testing creating users by JIT and I don't have LDAP Directory, I'm testing creating rules like that:

And not working, how can I Solve it?

[DonutsNL]

Hi @SilvaFernando,

The last time we checked, GLPI only uses these rules when an ldap import is performed. They are not used on user creation by plugins. We are currently researching what is required to implement our own rules that we can use to append and populate the user creation process. This is very much a work in progress.

[StellarDriftLabs]

@DonutsNL do you know if it is possible to take group information from AzureAD and add the user on the right group on GLPI ? Because adding users to groups manually is tiresome and would require a lot of time if the company has more than 500 users.

[DonutsNL]

The idea currently is to use the rules engine to assign groups. It might be a nice feature to try and match groups if provided in the saml response.

[Phragos]

In case this can be of any use, we were looking into using this plugin and tested out JIT functionality. It is possible to take the group information from the IdP. The code below can help considering that the groups are sent with the "name" value only, as an attribute "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

In order for it to be fully functional, it would require additionally to implement some settings controls to enable/disable it

in file /inc/phpsaml.class.php:

create this helper function

static private function updateGroupUserRel($user_id)
{
    $dbGroup = new Group(); // find group in DB
    $dbGroupUser = new Group_User(); // find relationship + add relationship

    $groups = SELF::$userdata["http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"];

    foreach ($groups as $group) {

        $dbSearchInput = array(
            "name" => $group,
            "entities_id" => $dbGroup->getEntityID(),
        );

        $group_id = $dbGroup->findID($dbSearchInput);

        if ($group_id == -1) {
            $error = "Group User Error: Unable to update group membership because missing group ($group)";
            Toolbox::logInFile("php-errors", $error . "\n", true);
        }
        else {
            $input = array(
                "users_id" => $user_id,
                "groups_id" => $group_id,
            );

            if (!$dbGroupUser->isUserInGroup($user_id, $group_id))
            {
                If (!$dbGroupUser->add($input)) {
                    $error = "Group User Error: Something went wrong when adding the user ($user_id) to the group ($group_id)";
                    Toolbox::logInFile("php-errors", $error . "\n", true);
                }
            }
        }
    }
}

inside function glpilogin(), add this line in the first if() condition - this will update group membership for an existing user

self::updateGroupUserRel($auth->user->fields['id']);

note: it does not remove user memberships if dropped

inside the JIT provisioning if() condition, add this after the user creation line

self::updateGroupUserRel($id);

[DonutsNL]

I am no longer maintaining this plugin and am focussing on the full refactored version found here: https://codeberg.org/QuinQuies/glpisaml