Before you can connect your Azure AD environment to GLPI, you need to prepare it properly. This involves creating a new Azure AD application and registering it with your Azure AD tenant.
You'll also need to obtain the Application ID and Directory ID from the Azure portal, as these will be used to configure the GLPI Azure AD integration.
To ensure a smooth setup process, make sure you have the necessary permissions and roles in your Azure AD tenant. Specifically, you'll need to be a Global Administrator or an Application Administrator.
The Application ID is a unique identifier for your Azure AD application, while the Directory ID is the unique identifier for your Azure AD tenant.
Preparação do Ambiente
Before we dive in, it's essential to note that we'll be working with GLPI version 10.0.14 and the PHP SAML plugin.
The good news is that we won't need to use the LDAP directory for user importation or synchronization.
Make sure the URL to access GLPI has a DNS with a valid SSL certificate enabled (HTTPS) for security purposes.
To proceed, search for Microsoft Entra SAML Toolkit and select the relevant option.
Configuração
To configure the integration of authentication, you'll need to use the SAML protocol, which will be set up in the Azure Portal.
First, create an application, and you'll be redirected to its control panel.
Click on "Usuários e Grupos" in the menu to specify which AD users will have permission to log in to the application.
In our case, we created a group called "GLPI" where all users who need to access GLPI are assigned.
After adding the users/groups, click on "Logon Único".
Then, click on SAML to proceed with the configuration.
You'll be directed to a page where you need to click on "Editar" to adjust the basic SAML settings.
Add the URL of GLPI in the specified field and save the changes.
Click on "Baixar" to download the Certificate (Base64).
In GLPI, fill in the necessary fields with the information obtained from the Azure Portal.
Azure AD Integration
To integrate Azure AD with GLPI, you'll need to prepare your Entra AD environment for LDAPS. This requires a sufficiently high license or the purchase of Microsoft Entra Domain Services.
You'll need to create a service account in your directory, dedicated to the interconnection between GLPI and your Entra AD directory. This is a crucial step, as it will enable secure communication between the two systems.
To set up LDAPS, you'll need to configure your Entra AD environment according to Microsoft's official documentation. This involves setting up LDAPS access rules and creating a service account.
Once your Entra AD environment is prepared, you can go back to GLPI and create an LDAP Directory type authentication source. This involves setting up a new directory for LDAPS connections.
Here are the key parameters to enter:
- Server: ldaps://Entra.mycompany.com or ldaps://xxx.xxx.xxx
- Port: 636
- Connection filter: (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Note that you can modify the connection filter to suit your needs.
For the BaseDN, you'll need to enter the full DN of your company's directory, such as dc=mycompany,dc=com.
When setting up the authentication source, you'll need to enter the full DN of the service account that will authenticate with your directory, as well as its password.
Sources
- https://glpi-project.org/how-to-provision-and-authenticate-glpi-users-with-azure-ad-using-scim-and-oauth-sso/
- https://stackoverflow.com/questions/54789021/use-glpi-or-centreon-on-adfs-or-azure-ad-proxy
- https://blog.servicedeskbrasil.com.br/logando-no-glpi-com-azure/
- https://faq.teclib.com/03_knowledgebase/authentication/cloud_azure_ad/
- https://nitic.es/configurar-oauth-imap-en-glpi-con-azure-ad/
Featured Images: pexels.com
