Skip to content
/ GLPI-Azuresync Public

The AzureSync plugin synchronizes data from Microsoft SAML SSO into the GLPI database, based on Microsoft application attributes and claims. It depends on another plugin called PHP SAML by Derrick Smith.

License

GPL-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cloudducoeur/GLPI-Azuresync

BranchesTags

Repository files navigation

GLPI-Azuresync

The AzureSync plugin synchronizes data from Microsoft SAML SSO into the GLPI database, based on Microsoft application attributes and claims. It depends on another plugin called PHP SAML by Derrick Smith.

Plugin installation

On the GLPI server, extract the azuresync directory into the GLPI installation tree, inside the plugins directory.
From the GLPI interface, go to Configuration → Plugins, install the plugin and activate it.

alt

Refresh the page: a new Azure Sync entry will appear under the Administration tab.

Plugin configuration

Since v1.1.0

alt

The plugin configuration page allows you to store in the database the Azure application claim keys for:

  • email address
  • groups
  • the department field (used by the synchronization rule Department to Entity).

Adding a synchronization rule

Group to Group

Since v1.0.0

This synchronization rule adds the user to the corresponding GLPI group based on the Microsoft group.

Example:
The group “Support Tech” in Azure AD has the object ID 244cc64a-ae23-4ab1-8bd6-27c5ae3cbedf.
The same group exists in GLPI with ID 42.

The user fills in the form as follows:

  • Association type: Group to Group
  • Azure: 244cc64a-ae23-4ab1-8bd6-27c5ae3cbedf
  • Azure label (free field): Support Tech
  • GLPI: select the Support Tech group

AD Attribute to User Attribute

Since v1.0.0

This synchronization rule updates the GLPI user record using user data contained in the Microsoft authentication token.

Example:
To synchronize the user's mobile phone number, you must first add this claim to the Microsoft application.

In Azure:

  1. Open the application
  2. Go to Single sign-on
  3. In Attributes & Claims, click Edit
  4. Click Add a new claim
  5. Configure it as follows:
    • Name: mobilephone
    • Namespace: a distinct namespace used by GLPI to retrieve the value (can be empty or for example https://www.restosducoeur.org/user)
    • Source attribute: user.mobilephone
  6. Save

This claim will then be present for every new SSO login to GLPI.

alt

In the GLPI form:

  • Association type: AD Attribute to User Attribute
  • Azure identifier: full attribute path, e.g. https://www.restosducoeur.org/user/mobilephone
  • Azure label: Mobile phone
  • GLPI database column: the column name in the glpi_users table to update, e.g. mobile
  • GLPI label: Mobile phone

Group to Entity

Since v1.1.0

This synchronization rule assigns a GLPI entity and profile to a user who belongs to a specific Azure AD group.

Example:
The group “Support Tech” in Azure AD has object ID 244cc64a-ae23-4ab1-8bd6-27c5ae3cbedf.
The corresponding GLPI entity is “Support Tech N1”.

Form configuration:

  • Association type: Group to Entity
  • Azure identifier: 244cc64a-ae23-4ab1-8bd6-27c5ae3cbedf
  • Azure label (free field): Support Tech
  • GLPI entity: select Support Tech N1
  • Profile: select the desired profile
  • Recursive: enable or disable recursion
  • Dynamic: enable or disable dynamic assignment

Department to Entity

Since v1.1.0

This synchronization rule defines the user's default GLPI entity based on the Department attribute from Azure AD.

Example:
The Azure AD department value is “AN”, and the corresponding entity is “RDC > AN”.

Form configuration:

  • Association type: Department to Entity
  • Azure identifier: AN
  • Azure label (free field): AN
  • GLPI entity: select RDC > AN
  • Profile: select the desired profile
  • Recursive: enable or disable recursion
  • Dynamic: enable or disable dynamic assignment

CSV import / export

Synchronization rules can be imported or exported using a CSV file.
The column separator is ; and the fields must be in the following order:

  • Row identifier (id)
  • Azure identifier
  • Azure label
  • Association type:
    • 0 = Group to Group
    • 1 = AD Attribute to User Attribute
    • 2 = Group to Entity
    • 3 = Department to Entity
  • GLPI identifier
  • GLPI label
  • Recursive
  • Profile
  • Dynamic

Example:

7;d4ae92a3-3b66-403c-add0-1cc61a1418fe;"Users Member";2;3275;"Root entity > RDC Member";0;13;0

Documentation

Synchronization workflow

alt

  1. The user clicks the Microsoft Login button and authenticates
  2. PHP SAML sends the authentication request to Microsoft
  3. PHP SAML retrieves and stores user data
  4. AzureSync is notified of the new session via a GLPI hook (init_session) and retrieves data from PHP SAML
  5. AzureSync updates the GLPI database

Adding a new synchronization rule

  1. In inc/match.class.php, add a new enum value in the getEnumAssociationType function
  2. In templates/form.html.twig, add an HTML block: 
    <div class="row association-type" id="association-group-X">...</div>
    Replace X with the enum value added in step 1
  3. Inside this block, two inputs are mandatory:
    • glpi_id_X
    • glpi_label_X
      where X is the enum value.
      The form display is dynamic depending on the selected Association type
  4. In inc/match.class.php, inside the updateUser function, add the business logic corresponding to the new synchronization rule

About

The AzureSync plugin synchronizes data from Microsoft SAML SSO into the GLPI database, based on Microsoft application attributes and claims. It depends on another plugin called PHP SAML by Derrick Smith.

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages