GLPI: SSO with IIS – Single sign-on

In this article, I will explain how to implement SSO (Single Sign-On: Single Authentication) with GLPI installed with IIS.

SSO saves the user from having to enter identifiers to connect to GLPI.

Prerequisites

  • Have configured the Active Directory in GLPI and import the users.
  • In order to set up single authentication for GLPI, you must have installed Windows Authentication 1 in the functionalities of the IIS Web Server role and your IIS server must be a member of the domain.
GLPI SSO : prerequis Authentification Windows

Site configuration in IIS

Open the IIS console, go to the GLPI site 1 and click on Authentication 2.

Console IIS site GLPI

Select Anonymous Authentication 1 and click Disable 2.

Désactivation authentification anonyme

Select Windows Authentication 1 and click on Activate 2.

Authentification Windows à activer

Windows authentication is enabled 1.

Authentification Windows activée

GLPI configuration

In this part, we will configure GLPI to tell it in which server variable the user is stored.

The manipulations below are to be done with a super-admin account.

From the navigation menu go to Configuration 1 / Authentication 2.

Menu de configuration GLPI

Click on Other authentication methods 1.

Méthode d'authenfication

Select REMOTE_USER 1 in Identification storage fields in the HTTP request and click on Save 2.

Choix de la variable REMOTE_USER

Authentication is up. From a client computer in the domain, open Internet Explorer and go to GLPI, no authentication information should be requested.

Troubleshooting

Windows asks for credentials

When you open GLPI, a window asking for credentials appears. To resolve the problem, you must change the Internet security settings.

Open the Internet options, go to the Security tab 1 and click on Sites 2.

Option internet

Click on Advanced 1.

Avancé

Enter the url of your GLPI site 1 then click on Add 2 and Close the window 3.

URL du GLPI pour le SSO

Close the Internet options and refresh the page. The problem should be resolved.

It is possible to deploy this parameter by GPO on all the stations.

Create a site without SSO for FusionInventory

The implementation of SSO will prevent the inventory via the FusionInventory agent because it does not send identification information and will therefore no longer be able to access the page it uses to send the data.

This site can also be used if the automatic tasks are configured with a browser call or to use the default GLPI account.

Open the IIS console and right-click on Sites 1 and click on Add website … 2.

Nouveau site dans la console IIS

Enter the name of the site name 1. Select the location of the GLPI 2 site (this one where SSO is activated), enter the url of the site 3 and click OK 4.

paramètre du site

The site is ready 1.

Site ajouté

Check that PHP extensions are activated for the site.

Add a DNS record to be able to resolve the site’s url.

Enregistrement DNS

From a client computer, open a browser and enter the url, the authentication page is displayed and it is possible to select the authentication base.

Formulaire authentification

For FI agents to function properly, they will need to be configured with this URL.




Leave a Comment