SAML - Is there any easy way to implement it with Snipe-IT?

[cwhittl]

We have just purchased OneLogin service and would love to use it with SnipeIT.
Thanks!

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[snipe]

Not out of the box, but we can look into how much work it would be to integrate.

[hughevans]

SAML might be a better option than LDAP/AD integration. A lot of people are moving in this direction. More webby.

[snipe]

Looks like OneLogin has a package, which could make this easier. https://github.com/onelogin/php-saml

[hughevans]

I’ve used their Ruby package and it’s excellent. My PHP is very rusty, otherwise I’d help out.

[vsposato]

@snipe what about http://packalyst.com/packages/package/aacotroneo/laravel-saml2? It appears to be based on php-saml, but is already a package.

[snipe]

Yeah, we were looking at that one recently too.

[ghost]

Hi there, we're also using Single Sign On - OKTA is the tool we are using.
Our benefit would not be the SSO aspect (we only have two technicians so no big deal) for us the really cool thing would be the automatic user account creation & removal that this could offer. This would save us time, but most importantly keep the user names created and synced with our HR user database.

[delize]

Would also like to bump this, as this would be great for us. We use Okta. We also use AD/LDAP, so using either isn't a huge problem for us.

[sla-1]

Hey guys, we're using OKTA too, and we're interested in having SAML active too.

[nbently]

+1 for SAML - this is literally the only tool out there that does asset management right & would be killer with SAML integration

[Kilo1548]

Totally agree! +1 for SAML integration.

[v3rb4l]

Any updates on potential SAML integration? We are a school district that utilizes RapidIdentity (by Identity Automation), which is in the same vein as Okta and some of the other services mentioned in this thread. SAML would be a fantastic excellent addition.

[snipe]

If there were updates, we'd publish them to this ticket. The API is currently higher priority than SAML integration, but it's still on the list.

[v3rb4l]

Completely understand. Thank you for the response.

[zezuladp]

+1 for SAML. Also thank you for your amazing work

[markwangpd]

+1 for SAML! So far this platform is awesome, great work.

[jon-zd]

Whoa, snipe-it looks to be way better than any other inventory answer out there. Thanks for all the hard work!

Another +1 for SAML support -- it would make implementation way easier and help justify to management as an alternative to traditional (read: expensive and closed) inventory applications.

[avcarrillo]

We are using the cloud hosted Snipe-IT solution. LDAP is not an option for us, so +1 for SAML

[dcCMPY]

Hi excuse my ignorance,

We have signed up for cloud hosted version of Snipe-IT - so far its awesome.

I'm trying to configure LDAP integration, all fields are filled out but having a connection issue.

Do I need to have an instance of my Active Directory in the cloud (AWS, Azure) for this to work as my instance of Snipe-IT is cloud hosted ?

[snipe]

Hi @dhayc17 - you do need it to be accessible via your hosted IP, which usually means poking a hole in your firewall for the static IP. If you contact support via email, we can give you your hosted static IP

[leifahlgrimm]

Also very much interested in this.

[knetherton]

Our company is hoping to get forced SSO so that we can adopt your product. BTW, you're selling yourself short. We would pay 5-10 times what you're charging for a good hosted tool. Key is that we have to have forced SSO (no password login option except for admin account).

[gezakukoda]

+1 for SSO/SAML

[FletcherS7]

Another +1 for SAML

[tstrohmeier]

+1 for SAML or OIDC

[angel-pantoja]

+SAML

[ewancolyer]

Instead of everyone doing +1, place a bug bounty on it or open a PR with your contribution!

[pitbulk]

@snipe I'm trying to contact you via Linkedin and see if we can agree on something to provide SAML support to snipe-it.

[sargonas]

bumping this for vis... if the pull request from @pitbulk up above is to unlock standard saml support for things like Okta we are VERY interested in this. Working to roll out snipe into prod, but right now we're having issues with LDAP over Okta breaking randomly from time to time for no known reason due to the LDAP work around, and this would help with that greatly.

[innocuoussoul]

Heads up there was a PR approved for some saml support in the develop branch! Not sure if it will work with Okta yet, but it’s using onelogin’s php-saml package.

…

Sent from my iPhone

On May 7, 2020, at 10:02 PM, J Eckert ***@***.***> wrote:  bumping this for vis... if the pull request from @pitbulk up above is to unlock standard saml support for things like Okta we are VERY interested in this. Working to roll out snipe into prod, but right now we're having issues with LDAP over Okta breaking randomly from time to time for no known reason due to the LDAP work around, and this would help with that greatly. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[davidbwashburn]

SAML to Azure AD would make this guy very happy. All of you working on this real international heroes.

[Wartz]

SAML is a huge feature that would make my life a lot easier! Thanks to the people working on it.

[pitbulk]

Yes I wanted to implement a standard SAML support (not the shibboleth trick / $USER I saw)

this commit already has the approach I had in mind:
c3d8024

[karthik5003]

+1 for SAML

[tholu]

@webbexpert Have you moved to a different tool or are you also still waiting for this?

[yosiasz]

@tholu We are still waiting for SSO SAML implementation. It will be a deal breaker for us if we cannot have this, for hosted services at least.

[fstorz]

@snipe Is this issue about to be closed? The corresponding PR (#8023) to add SAML support was merged already to develop. Is this issue then related to milestone "v5"?

[Aiv114]

+1 SAML

[adagioajanes]

+1 for SAML

[ReillyTevera]

@adagioajanes Did you even bother to read this thread before making a useless and unhelpful comment? SAML support has already been merged and will be in the next major release of Snipe-IT.

[adagioajanes]

@adagioajanes Did you even bother to read this thread before making a useless and unhelpful comment? SAML support has already been merged and will be in the next major release of Snipe-IT.

I saw this issue was still open. Therefor I assumed it was not implemented, as I can't find documentation for it.

No need to be rude about it.

[ajfurber]

@adagioajanes Did you even bother to read this thread before making a useless and unhelpful comment? SAML support has already been merged and will be in the next major release of Snipe-IT.

I saw this issue was still open. Therefor I assumed it was not implemented, as I can't find documentation for it.

No need to be rude about it.

Its also not included here: https://snipeitapp.com/blog/snipe-it-v5.0-progress-oct

Snipe-IT v5 update - Snipe-IT Open Source IT Asset Management

Just a quickie update on what we've gotten done so far in the upcoming v5 (currently on the `develop` branch). Lots of stuff is changed under the hood, as we've upgraded the underlying framework to La...

[fstorz]

@snipe As v5 was released (again thanks for that) the SAML support is now available in code. But there is some documentation missing. I setup SAML with my installation and could help out with the docu. But I'm not sure where I can contribute the text and images. Is this possible via readme.io?

[fstorz]

SO maybe I will start documenting here :D

General steps to do:

• Configure SAML values at IDP (Entity-ID, Assertion Consumer Service (ACS) URL, Single Logout Service (SLS) URL)
• Download IdP Metadata / Get IdP Metadata URL
• Upload IdP Metadatafile / Paste IdP Metadata URL to Snipe-IT SAML settings
• If necessary, add additional custom config to Snipe-IT SAML settings

IdP SAML Configuration Values

There are many pages out there on how to configure the following values for your IdP.
We use AzureAD and there is some basic example from Microsoft.

• Entity-ID: https://assets.example.com
• Assertion Consumer Service (ACS) URL: https://assets.example.com/saml/acs
• Single Logout Service (SLS) URL: https://assets.example.com/saml/sls
• Configure also a certificate at IdP, which is used to sign the SAML Responses

Azure will automatically configure a certificate for you to sign the SAML responses when you click on the "add certificate" link.

Snipe-IT SAML Settings

Attribute Mapping - Username

It is possible to override the default setting, to use the value from the "NameID" response element to match against the username of existing users. If your IdP uses another element in the SAML response, set the value here.

Relevant example from SAML response

<Subject>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">email.address@example.com</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="ONELOGIN_..." NotOnOrAfter="2020-10-01T00:00:00.000Z" Recipient="https://assets.example.com/saml/acs"/>
    </SubjectConfirmation>
</Subject>

If you have existing users configured in Snipe-IT, make sure that their usernames match the value of the NameID element!

SAML Force Login

When this checkbox is enabled, you will not see a login form of Snipe-IT anymore when you go to the Snipe-IT website. Instead it will redirect you directly to the IdP SAML Login.
When you need to see the login form of Snipe-IT to login with an existing user without SAML login, you could add the following query parameter to your Snipe-IT URL: /login?nosaml -> https://assets.example.com/login?nosaml. This might be useful when there are some technical problems with your IdP to be able to sill login to Snipe-IT. For this scenario, make sure that there is an "admin" user in the Snipe-IT user database, who does not login via SAML.

SAML Single Log Out

When this checkbox is enabled, then Snipe-IT will send a logout request to your IdP when you click on the Logout Button in Snipe-IT.
This will cause the user to be first redirected to the IdP on logout. Leave unchecked if the IdP doesn't correctly support SP-initiated SAML SLO.

SAML Custom Settings

Here you can add custom settings to adjust the configuration of the underlaying library which provides the SAML functionality.
Values are defined as key-value pairs like the following: key=value

Config values are (maybe some are missing) (Source)

• strict=true|false
• baseurl=...
• debug=true|false
• sp.anySpConfig=...
• idp.anyIdpConfig=...
• security.anySecurityConfig=...

When you run Snipe-IT behind a reverse proxy the following property might be necessary: baseurl=https://assets.example.com/saml

Debug SAML Response

When you need to check the SAML response which is received by Snipe-IT, a simiple woraround might be to use the developer tools of your browser.
After configuring your SAML config in Snipe-IT, just go to an incognito tab, open the devloper tools (mostly with F12) and go to the "network" tab. Now open your Snipe-IT website and wait that the login of your IdP is shown. Login in with your IdP credentials and wait until you are redirected back to your Snipe-IT.
Now check the entries of your developer tools "network" tab. There should be an entry for "acs" or "saml/acs", which represents the redirect from your IdP to your callback URL which includes the SAML Response as body parameter. So click on the entry and scroll down in the entry's details to the request body and copy the value of the parameter SAMLResponse.
The value is base64 encoded, so find a tool which could decode it (I would not suggest to do this online, because the value contains a valid access token for your user at your IdP!). When you have decoded it you have the SAML response in XML format :)

Hint: Works in Google Chrome, and mabye others work the same way

[boyejoayo]

This is looking interesting...

[denzfarid]

SO maybe I will start documenting here :D

General steps to do:

* Configure SAML values at IDP (Entity-ID, Assertion Consumer Service (ACS) URL, Single Logout Service (SLS) URL)

* Download IdP Metadata / Get IdP Metadata URL

* Upload IdP Metadatafile / Paste IdP Metadata URL to Snipe-IT SAML settings

* If necessary, add additional custom config to Snipe-IT SAML settings

IdP SAML Configuration Values

There are many pages out there on how to configure the following values for your IdP.
We use AzureAD and there is some basic example from Microsoft.

* **Entity-ID:** https://assets.example.com

* **Assertion Consumer Service (ACS) URL:** https://assets.example.com/saml/acs

* **Single Logout Service (SLS) URL:** https://assets.example.com/saml/sls

* Configure also a certificate at IdP, which is used to sign the SAML Responses

Azure will automatically configure a certificate for you to sign the SAML responses when you click on the "add certificate" link.

Snipe-IT SAML Settings

Attribute Mapping - Username

It is possible to override the default setting, to use the value from the "NameID" response element to match against the username of existing users. If your IdP uses another element in the SAML response, set the value here.

Relevant example from SAML response

<Subject>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">email.address@example.com</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="ONELOGIN_..." NotOnOrAfter="2020-10-01T00:00:00.000Z" Recipient="https://assets.example.com/saml/acs"/>
    </SubjectConfirmation>
</Subject>

If you have existing users configured in Snipe-IT, make sure that their usernames match the value of the NameID element!

SAML Force Login

When this checkbox is enabled, you will not see a login form of Snipe-IT anymore when you go to the Snipe-IT website. Instead it will redirect you directly to the IdP SAML Login.
When you need to see the login form of Snipe-IT to login with an existing user without SAML login, you could add the following query parameter to your Snipe-IT URL: /login?nosaml -> https://assets.example.com/login?nosaml. This might be useful when there are some technical problems with your IdP to be able to sill login to Snipe-IT. For this scenario, make sure that there is an "admin" user in the Snipe-IT user database, who does not login via SAML.

SAML Single Log Out

When this checkbox is enabled, then Snipe-IT will send a logout request to your IdP when you click on the Logout Button in Snipe-IT.
This will cause the user to be first redirected to the IdP on logout. Leave unchecked if the IdP doesn't correctly support SP-initiated SAML SLO.

SAML Custom Settings

Here you can add custom settings to adjust the configuration of the underlaying library which provides the SAML functionality.
Values are defined as key-value pairs like the following: key=value

Config values are (maybe some are missing) (Source)

* strict=true|false

* baseurl=...

* debug=true|false

* sp.anySpConfig=...

* idp.anyIdpConfig=...

* security.anySecurityConfig=...

When you run Snipe-IT behind a reverse proxy the following property might be necessary: baseurl=https://assets.example.com/saml

Debug SAML Response

When you need to check the SAML response which is received by Snipe-IT, a simiple woraround might be to use the developer tools of your browser.
After configuring your SAML config in Snipe-IT, just go to an incognito tab, open the devloper tools (mostly with F12) and go to the "network" tab. Now open your Snipe-IT website and wait that the login of your IdP is shown. Login in with your IdP credentials and wait until you are redirected back to your Snipe-IT.
Now check the entries of your developer tools "network" tab. There should be an entry for "acs" or "saml/acs", which represents the redirect from your IdP to your callback URL which includes the SAML Response as body parameter. So click on the entry and scroll down in the entry's details to the request body and copy the value of the parameter SAMLResponse.
The value is base64 encoded, so find a tool which could decode it (I would not suggest to do this online, because the value contains a valid access token for your user at your IdP!). When you have decoded it you have the SAML response in XML format :)

Hint: Works in Google Chrome, and mabye others work the same way

thanks man! I really appreciate,
I use this method on the gsuite, but there are a few changes, before you mentioned this

make sure that their usernames match the value of the NameID element!

and finally I changed username = email,
and it's working

The following is the SQL syntax for changing the username to the same as email

update users set username=email

[snipe]

We have this documented here now: https://snipe-it.readme.io/docs/saml

Snipe-IT Documentation

SAML

Configuration guidelines for SAML Single-Sign On (SSO) support