GLPI Integration with Okta

Table of Contents

Intro
#

GLPI is an open-source service management software made in France and is used by a lot of companies in EMEA.

I worked with a customer for the integration with Okta. Here are some notes and the instructions for running a test environment with docker.

Note: since it’s very easy to run GLPI with docker-compose and configure it with LDAP and/or SAML, it can be a good solution for a demo environment when you have to demonstrate the typical user experience with an LDAP (or SAML) integration.

Run a test environment with Docker Compose
#

There is an official docker image that permits running GLPI very quickly in docker or docker-compose.

I used it as a base, and builded a custom Docker Compose file to run it along with MariaDB, Mailpit (for email testing) and DBGate (a web-based database management tool).

The source code is available on the following GitHub repository: fabiograsso/okta-lab-glpi11.

To run it, just clone the repo, edit the .env file, and execute make start:

git clone https://github.com/fabiograsso/okta-lab-glpi11
cd okta-lab-glpi11
cp .env.example .env
# (edit .env if needed)
make start

It exposes GLPI on port 80 in localhost, so you can open it using http://localhost

Once started, here are the default users for login in GLPI:

Login/Password	Role
glpi/glpi	admin account
tech/tech	technical account
normal/normal	“normal” account
post-only/postonly	post-only account

You will find two new folders:

./data/mysql contains the database, in order to make it persistent when you restart the docker image ./data/glpi contains the GLPI web application

Note: this docker-compose is for internal testing only. There is no security configured, and must not be used in a production environment or in a public-facing server without hardening the security.

Authentication and SSO with Okta
#

To federate it with Okta, there are three options:

LDAP Interface
SAML using an open-source plugin called ‘phpsaml’
OAuth/OIDC using an official plugin provided by GLPI Network

LDAP Interface
#

Go to Home → Setup → Authentication → LDAP directories → Add
Use the following configuration for Okta LDAP Interface:
- Server: your_okta_domain.ldap.okta.com
- Port: 389 (or 636 for LDAPS)
- Connection Filter: (objectClass=person)
- BaseDN: dc=your_okta_domain,dc=okta,dc=com (replace with your Okta LDAP Base DN)
- Use bind: Yes
- Root DN: cn=your_bind_user,dc=your_okta_domain,dc=okta,dc=com (replace with your Okta LDAP Bind DN)
- Password: your_bind_user_password
- Login field: uid
In the Users tab you can define which user attributes to sync. Additional attributes can be added - based on you needs.
For the Groups tab the configuration is very simple:
- Search type: “In Groups”
- Filter: (objectClass=groupOfUniqueNames)
- Group attribute: uniquemember
- Use DN in search: No
In the Advanced information tab, you can set the following parameters:
- Use TLS: Yes
- LDAP Directory time zone: GMT
- Timeout: 30 - I suggest keeping the timeout as long as possible (the maximum is 30) in order to give to users the time to accept the push notification on the phone (if push MFA is used)
Once the LDAP is configured, you can import users from the Administration → Users → LDAP directory link.

The same can also be done for groups.
Then, the LDAP users can log in by selecting the proper login source on the login page (or by keeping the default one if “Default Server: Yes” is configured on the LDAP setting)

SAML
#

The LDAP interface is limited in terms of features and user experience. Another option is to use SAML. There is an open-source plugin called samlSSO. The installation is very easy:

Download the zip file from Releases · DonutsNL/samlsso
Extract and copy in the folder <GLPI_ROOT>/marketplace/samlsso (if using my docker-compose, that’s the folder .data/glpi/marketplace/samlsso)
Enable and configure it from the web interface of GLPI (Home → Setup → Plugins)

Alternatively, you can also install it from the GLPI Marketplace, in this case you’ll need to register for a free account.

Configuration - Okta Side
#

On Okta, the configuration is very easy, just a custom SAML application.

Single sign on URL: http://localhost/plugins/samlsso/front/acs/1
Audience URI (SP Entity ID): http://localhost/

Configuration - GLPI Side
#

Go to Home → Setup → samlSSO → Add
In the General tab, use the following configuration:
- FRIENDLY NAME : Okta
- LOGIN ICON : fa-solid fa-key (you can choose any icon you want from FontAwesome)
- USERDOMAIN: leave empty (optionally you can set a domain to force the users on that domain to use SSO)
- IS ACTIVE: Yes
- DEBUG: No
In the Transit tab just keep the default value
In the Service Provider tab, set the following parameters:
- NAMEID FORMAT: Unspecified
- SP CERTIFICATE and PRIVATE KEY: leave empty - optionally you can generate a certificate and use it use Single Logout or to encrypt/sign the SAML requests
  
  You will find also the Entity ID and ACS URL that you have to use in Okta configuration.
For a simple demo perspective and to make the configuration easier, do not enable Strict and Single logout, so there is no need to generate an SP certificate.
In the Identity Provider tab, set the following parameters:
- ENTITY ID: http://www.okta.com/your_okta_org_id (replace with your Okta Org ID)
- SSO URL: https://your_okta_domain.okta.com/app/your_app_id/sso/saml (replace with your Okta SAML SSO URL)
- IDP CERTIFICATE: copy/paste the Okta X.509 certificate here
- SLO URL: leave empty (unless you want to configure Single Logout)
Finally, the Security tab permit to change some security options:

For example:
- JIT USER CREATION : Yes - to create the users on the fly at first login
- STRICT: Yes - to enforce SAML response validation
- ENFORCED: No - Unless you want to force all users to use SSO. Otherwise, there is an option “Sign In with SSO” on the login page.