Saml

.tx/config

@@ -195,9 +195,33 @@ source_file = build/locale/scim/index.pot
 source_lang = en
 type = PO
 
-[o:teclib:p:glpi-plugins-documentation:r:scim--azure]
-file_filter = source/locale/<lang>/LC_MESSAGES/scim/azure.po
-source_file = build/locale/scim/azure.pot
+[o:teclib:p:glpi-plugins-documentation:r:scim--entra]
+file_filter = source/locale/<lang>/LC_MESSAGES/scim/entra.po
+source_file = build/locale/scim/entra.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:scim--faq]
+file_filter = source/locale/<lang>/LC_MESSAGES/scim/faq.po
+source_file = build/locale/scim/faq.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:scim--install_plugin]
+file_filter = source/locale/<lang>/LC_MESSAGES/scim/install_plugin.po
+source_file = build/locale/scim/install_plugin.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:scim--password_SSO]
+file_filter = source/locale/<lang>/LC_MESSAGES/scim/password_SSO.po
+source_file = build/locale/scim/password_SSO.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:scim--requirements]
+file_filter = source/locale/<lang>/LC_MESSAGES/scim/requirements.po
+source_file = build/locale/scim/requirements.pot
 source_lang = en
 type = PO
 
@@ -398,3 +422,53 @@ file_filter = source/locale/<lang>/LC_MESSAGES/glpiai/example.po
 source_file = build/locale/glpiai/example.pot
 source_lang = en
 type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:saml--entra]
+file_filter = source/locale/<lang>/LC_MESSAGES/saml/entra.po
+source_file = build/locale/saml/entra.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:saml--google]
+file_filter = source/locale/<lang>/LC_MESSAGES/saml/google.po
+source_file = build/locale/saml/google.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:saml--index]
+file_filter = source/locale/<lang>/LC_MESSAGES/saml/index.po
+source_file = build/locale/saml/index.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:saml--requirements]
+file_filter = source/locale/<lang>/LC_MESSAGES/saml/requirements.po
+source_file = build/locale/saml/requirements.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:saml--rules]
+file_filter = source/locale/<lang>/LC_MESSAGES/saml/rules.po
+source_file = build/locale/saml/rules.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:saml--sources]
+file_filter = source/locale/<lang>/LC_MESSAGES/saml/tabs/sources.po
+source_file = build/locale/saml/tabs/sources.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:saml--add-app]
+file_filter = source/locale/<lang>/LC_MESSAGES/saml/tabs/add-app.po
+source_file = build/locale/saml/tabs/add-app.pot
+source_lang = en
+type = PO
+
+[o:teclib:p:glpi-plugins-documentation:r:saml--for-entra]
+file_filter = source/locale/<lang>/LC_MESSAGES/saml/tabs/for-entra.po
+source_file = build/locale/saml/tabs/for-entra.pot
+source_lang = en
+type = PO
+
+

source/index.rst

@@ -35,6 +35,7 @@ You'll find here user documentation for various `GLPI <http://glpi-project.org>`
    oauthimap/index
    order/index
    pdf/index
+   saml/index
    sccm/index
    treeview/index
    tag/index

source/saml/entra.rst

@@ -0,0 +1,149 @@
+Entra
+=====
+
+.. include:: tabs/add-app.rst
+
+.. include:: tabs/for-entra.rst
+
+Add an app in Entra
+-------------------
+
+* Connect to your `Entra portal <https://portal.azure.com/#home>`_
+* Click on **Entreprise Application**
+* **And + New application**
+* In the search bar, enter **saml toolkit**
+* Click on **Microsoft Entra SAML Toolkit**
+
+.. image:: images/add-app-entra.png
+    :alt: create app entra
+    :scale: 72%
+
+* Optionnal : You can rename this app
+* Click on **Create**
+
+When the application is created :
+
+* Go to **Single sign-on**
+* Click on SAML
+
+.. image:: images/setup-saml-entra.png
+    :alt: create SAM app entra
+    :scale: 51%
+
+Setup the app
+-------------
+
+* In the 1st insert, click on **Edit**
+* Copy the values as follows
+
+.. image:: images/setup-basic-saml-entra.png
+    :alt: Report the values in entra
+    :scale: 90%
+
+.. image:: images/setup-basic-saml-glpi.png
+    :alt: See the values in GLPI
+    :scale: 75%
+
+Setup the Service Provider
+---------------------------
+
+In **SP certificate** and **SP Private Key**, copy/paste your certificate in place of those already present.
+There are no strict requirements for these certificates, other than that they are valid X509 certificates.
+
+.. image:: images/certificates-service-provider.png
+    :alt: setup the values
+    :scale: 80%
+
+Setup the Identity Provider
+---------------------------
+
+* In the third insert of Entra app, click on **Download** from **Certificate (Base64)**
+
+.. image:: images/extract-certificate.png
+    :alt: Download certificate
+    :scale: 90%
+
+* **Open** this certificate with notepad ++ (or other tool which can read this type of certificate)
+* **Copy** the content of the certificate in GLPI with the tags
+* **Paste** the certificate in **Identity provider** > **X509 certificate**
+* Then fill in the fields as follows withe the informations in the fourth insert :
+
+
+.. image:: images/setup-identity-provider.png
+    :alt: Paste certificate and setup the values
+    :scale: 42%
+
+.. image:: images/setup-identity-provider-toolkit.png
+    :alt: setup the values
+    :scale: 100%
+
+.. tip:: It is advisable to use **none** as the **REQ AUTHN CONTEXT**
+
+Security
+--------
+
+For a production instance, you must activate the **Strict** option.
+
+We advise you to activate **JIT user creation**. This will allow the rules you create from JIT Rules to be applied.
+
+.. image:: images/security.png
+    :alt: options for security
+    :scale: 82%
+
+.. Warning::
+    For the plugin to authenticate a user, the field must contain a **valid UPN** formatted **as an email**.
+    This behaviour can lead to duplicate entries in GLPI when users leave Ldap.
+    This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name
+    (old netbui names) as the UPN in entra.
+    As a result, the nameId field in the samlResponse will not be populated with a valid email address.
+    The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a
+    unique identifier is used to allow authorisation of a specific GLPI user.
+
+
+Add users allowed to use SAML
+-----------------------------
+
+SAML needs users/groups to be added so that they are authorised to use authentication.
+
+* Click on **users and groups** tab,
+* Click on **+ Add user/group**
+* Select all the users and groups required
+* Click on **Assign**
+
+.. image:: images/select-users-groups.png
+    :alt: add user allowed
+    :scale: 45%
+
+Mapping
+-------
+
+If you wish to add additional information to your profile, you can use Attributes & Claims.
+Your profile will be populated with the information entered in Entra.
+
+* In **Single sign on**, click on **Edit**
+* Copy the URL of the one of the other claim
+
+.. image:: images/copy_url_claims.png
+    :alt: Copy the URL schema
+    :scale: 78%
+
+* Click on **+ Add new claim**
+* Select a name
+* Paste the URL you've just copied ine **Namespace**
+* Selct **attribute**
+* Search the value that you want in the **Source attribute**
+* Save your modification
+* Repeat this step for all the desired values
+
+
+.. image:: images/add_claims_entra.png
+    :alt: add claims in Entra
+    :scale: 45%
+
+.. image:: images/see_claims_entra.png
+    :alt: see claims in Entra
+    :scale: 83%
+
+.. include:: tabs/rules.rst
+
+.. include:: tabs/source.rst

source/saml/google.rst

@@ -0,0 +1,131 @@
+Google
+======
+
+.. include:: tabs/add-app.rst
+
+Add an app in Google
+--------------------
+
+* Connect to your `Google portal <https://accounts.google.com/>`_
+* Click on **Apps**
+* Cick on **Web and mobile apps**
+* Then, click on **Add app**
+* And **Add custom SAML app**
+
+.. image:: images/add_custom_app.png
+    :alt: create app Google
+    :scale: 43%
+
+* Name your application
+* Click on **Continue**
+
+.. image:: images/app_name.png
+    :alt: give a name to your app
+    :scale: 49%
+
+- Click on **Save** on GLPI.
+
+Setup the Identity Provider
+---------------------------
+
+* Enter the values as shown in the 2 screenshots below
+
+.. image:: images/idp_infos.png
+    :alt: IDP info Google
+    :scale: 49%
+
+.. image:: images/idp_infos_glpi.png
+    :alt: report the values in GLPI
+    :scale: 44%
+
+.. tip:: Copy/paste the content of the certificate in GLPI with the tags *---BEGIN CERTIFICATE--- ---END CERTIFICATE---*
+
+Setup the Service Provider
+---------------------------
+
+* In Service provider details, report the values from GLPI to Google :
+
+.. image:: images/sp_infos_glpi.png
+    :alt: Service provider info GLPI
+    :scale: 44%
+
+.. image:: images/sp_infos.png
+    :alt: Report the values form GLPI
+    :scale: 49%
+
+* From Google, select **EMAIL** in **Name ID format**
+* In **Name ID**, select **Basic information > Primary email**
+* From GLPI, select **Email Address** in **NAMEID FORMAT**
+
+In **SP certificate** and **SP Private Key**, copy/paste your certificate in place of those already present.
+There are no strict requirements for these certificates, other than that they are valid X509 certificates.
+
+.. image:: images/certificates-service-provider.png
+    :alt: setup the values
+    :scale: 80%
+
+* Click on **Continue**
+* Then **Finish**
+
+Your app is now created
+
+.. image:: images/app_created.png
+    :alt: Your app is now created
+    :scale: 44%
+
+Security
+--------
+
+For a production instance, in GLPI, you must activate the **Strict** option in setup plugin SAML.
+
+We advise you to activate **JIT user creation**. This will allow the rules you create from JIT Rules to be applied.
+
+.. image:: images/security.png
+    :alt: options for security
+    :scale: 82%
+
+.. Warning::
+    For the plugin to authenticate a user, the field must contain a **valid UPN** formatted **as an email**.
+    This behaviour can lead to duplicate entries in GLPI when users leave Ldap.
+    This is an important detail because some users who leave Active directory in certain scenarios still use the usersam account name
+    (old netbui names) as the UPN in entra.
+    As a result, the nameId field in the samlResponse will not be populated with a valid email address.
+    The username field is used because the email field is not guaranteed to be unique in GLPI and it is essential that a
+    unique identifier is used to allow authorisation of a specific GLPI user.
+
+Add users allowed to use SAML
+-----------------------------
+
+SAML needs users/groups to be added so that they are authorised to use authentication.
+
+* On your appl, click on **Viex details** tab in **User access**
+* Click on **On for everyone**
+* Click on **Save**
+
+.. image:: images/service_state.png
+    :alt: Allow users to use app
+    :scale: 53%
+
+
+Mapping
+-------
+
+If you wish to add additional information to your profile, you can use Attributes.
+Your profile will be populated with the information entered in Entra.
+
+* In you app, click on **Configure SAML attribute mapping** in **SAML attribute mapping**
+* Copy the URL of the one of the other claim
+* Add informations that you want
+* Click on **Save**
+
+.. image:: images/add_mapping_google.png
+    :alt: add attributes for Google
+    :scale: 45%
+
+.. image:: images/see_attributes.png
+    :alt: Allow users to use app
+    :scale: 60%
+
+.. include:: tabs/rules.rst
+
+.. include:: tabs/source.rst

source/saml/index.rst

@@ -0,0 +1,10 @@
+SAML
+====
+
+
+.. toctree::
+   :maxdepth: 2
+
+   requirements
+   entra
+   google