donutsnl / glpisaml Goto Github PK

• Show login buttons for each of the idp's configured;
• Catch the login button pressed
• make sure all sessions are captured and registered by glpisaml
• make sure glpi/saml sessions are discriminated clearly
• make sure the samlAuthRequest is logged in the database for debugging.
• make sure the samlAuthRequest is send based on the correct configItem
• make sure the SamlResponse is captured and matched with the correct IdP
• make sure phpSaml errors are captured and logged
• make sure calls to excluded paths are logged in the database for debugging
• make sure received samlResponse is registered in the database.
• make sure sessions can be forcefully logged out.
• Capture the SamlResponse in the ACS (acs implementation will be done in a different issue)

Thank you for continuing this project,

I have tried to test it but when I save I get this error
"Error: Unable to add new GlpiSaml configuration!!!
Leaving a line without text in the configuration, any suggestions?

@DonutsNL Hey, i hope you're doing well. I just needed an information about plugin enfored option. When we enfore the plugin we no longer have the option to connect to GLPI directly. Is there anyway that we can still access the GLPI login page through another URL ?
I can give you an exemple like if we enforce the plugin glpi should be accessible through www.exemple-glpi.com/index.php and the direct connection page would be on url www.exemple-glpi.com/index.php?noAUTO=1

https://github.com/SAML-Toolkits/php-saml?tab=readme-ov-file#settings

The logout is not yet fully implemented. plugin currently depends on GLPI default logout functionality but does not log the user out of the IDP. Clicking the login button will simply log the user back in using the existing IDP session. In addition the sessions are not registered correctly in the GLPISAML session database that keeps track of all active sessions. Because of the logout action is not yet properly administrated, the cross checking functions of the plugin might fail because the sessions can get into an inconsistant state. This might lead to login errors like 'did not expect saml response from this IDP' on login.

Work arround if this occurs is to close all browsers and start over.

https://packagist.org/about#how-to-update-packages
https://packagist.org/packages/donutsnl/glpisaml

Hello, how is the status of the code of this plugin? can. I see that you still have methods with another name in setup.php and hook.php

thanks!!!

Hello @DonutsNL,

Thank you for this v2.
However I have a problem, once I've created my SSO configuration, I can't go back to it because I can't click anywhere because the name is not displayed :

I'm using version 10.0.12.

Clean code is essential. Im not happy with all the HTML in the classes.
Lets implement twig templates that allow for cleaner logic, filtering and much more.

• implement twig templates for configuration
• implement twig templates for loginScreen
• Redo the config screen make it more accessible.

• Normalize database model, follow GLPI conventions?
• Create config database model
• Create dropdown typed config (multiple idp configs)
• Create custom dropdown entry configpage
• Create support classes for special tasks like openssl validation

Hello,
I am using your glpisaml plugin to make an SSO connection with my Azure AD to log in my GLPI site.
I am facing this issue "The response was received at http://{GLPI}/marketplace/glpisaml/front/acs.php instead of https://{GLPI}/marketplace/glpisaml/front/acs.php" (see capture)

. I don't know where I can find the redirection.
Cause my GLPI is in https and is behind a reverse proxy.
I'm sure it's not the Azure AD config, I think it is an issue with the php file : acs.php, but I have no idea how to resolve it.

Do you have any ideas ?

Thanks,

• Create logfile with extensive logging
• Create nice error screen
• Make errors human readable
• Make sure all phpSaml errors are cought and handled and logged.
• Add warning message in config that debug might log private key information in the logfile and the logfile needs to be cleaned after debugging.

The current login button implementation might give away allot of information about customers or IDPs linked to the GLPI instance. There might be an alternative route where no information about the configured idps is exposed in this way.

The idea is to 'capture' the user login email address using the username field and match its domain against a configured idps. If a match is succesfull it will perform the login using that idp. For this purpose the following field has been introduced.

We can toggle the visability of the login button based on this field being used.

Be aware, the actual version is no longer hosted on Github due to false positive account suspensions.

Find the actual version on codeberg.com / glpisaml.

Implement Access-Control-Allow-Origin: https://idp.domain header for CORS enabled environments.

I am looking for help, can someone design a cool looking logo for the plugin to be shown in the plugin page and in the GLPI marketplace?

Currently the 'is enabled' option will only remove the login button from the login page. Its state is not yet evaluated in the loginflow. Triggering a disabled idp should lead to an error and should not continue cause glpisaml to perform an samlRequest to the IDP.

Hi,

what is the status of this project ?

On glpi 10.0.11 :

• the original phpsaml doesn't work (blocked on acs page)
• your version doesn't work (can't access the parameters of the plugins, blank page)
• don't know if we can use phpsaml2

Hi everyone,

It would be very helpfull if you guys could help me test this plugin. The current version should be functional enough to allow multiple Saml IDPs for authentication with dynamic user creation. Your testing efforts will greatly help me fix premature issues in the code and its logic.

I will be moving forward and try and implement rules as well before addressing more advanced logout stuff. Currently the plugin will NOT log the user out of the idp, just out of GLPI. Pressing the button will simply relogin the user unless the account was deleted or deativated.

The beta version can be found here: https://github.com/DonutsNL/glpisaml/releases/tag/v0.2.0-beta

Thanks in advance!