Authentication with OpenID
- name:
- Combodo-hybridauth
- description:
- Connect to iTop using OpenID providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)
- version:
- 1.2.3
- release:
- 2024-09-03
- itop-version-min:
- 2.7
- state:
- stable
- php-version-max:
- PHP 8.2 since version 1.2.1. PHP 8.0 otherwise
With this extension, users can connect to iTop using OpenID providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)
Features
Add capability to configure SSO authentication with most common OpenID Identity providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)
-
It offers new authentication modes based on oAuth and OpenID Single Sign On (SSO) for the following OpenID providers:
-
Those modes can be mixed with other modes (internal, SAML …)
-
It is possible to configure several Identity providers if you want to allow access for instance to both Google and MicrosoftGraph
-
It relies on HybridAuth library library, which provides a unified interface to identify a user and retrieve contact information.
-
Some of those Identity providers are able to provide user information to allow automatic User and Person provisioning in iTop.
Check the third column of the Providers table, it is required for automatic User/Person provisioning on User first connection.
Revision History
Version | Release Date | Comments |
---|---|---|
2024-09-03 | 1.2.3 | * N°7780 - 'allowed_login_types' order doesn't work for authentification with OpenID |
2024-08-02 | 1.2.2 | * N°7582 - Be able to tune debug configuration from UI |
Not published | 1.2.1 | * N°7088 - Authentification OAUth2 with
Keycloack * N°6346 - combodo-hybridauth : update library for php 8.0 compatibility * N°4473 - Add delegated authentication (OpenID) configuration GUI |
2023-11-28 | 1.2.0 | * N°6556 - Add possibility to customize display of login buttons |
2023-07-13 | 1.1.2 | * N°6509 - Remove tests folder from builds |
2023-07-05 | 1.1.1 | * N°6369 Fixing warnings when configuration is
missing * Updated german translations by Lars Kaltefleiter |
2022-12-02 | 1.1.0 | * Compatibility with iTop 3.0 |
2019-08-27 | 1.0.0 | * First version |
Limitations
There is no mapping capability for contact provisioning.
This capability may not work if you have changed the default datamodel
Requirements
You have to configure the iTop application on your Identity provider to allow communication between iTop and this one. Look at your Identity provider documentation for more details.
Installation
Use the Standard installation process for this extension.
Configuration
First, you have to configure the iTop provider on your identity provider (Google, Facebook …)
-
The iTop landing page to provide to your Identity provider is:
<itop url>/env-production/combodo-hybridauth/landing.php
Once iTop is configured,
-
open the file 'config-itop.php'
-
add to the
allowed_login_types
parameter, the corresponding provider in the form of hybridauth-<provider name>
- config-itop.php
-
allowed_login_types => 'form|hybridauth-Facebook|hybridauth-Google|hybridauth-MicrosoftGraph|basic|external',
-
form
must remain the first, for all the others to be proposed to the user. -
If an hybridauth option is entered first, then the login page directly jump to the remote provider login page.
basic
must be left in the list for REST to still work.
The configuration is located in the section
combodo-hybridauth
. In the providers section you can
configure several provider. The “enabled” flag allows to activate
the corresponding authentication provider or not
parameters | description | values |
debug | active the logging mode. All logs are written in the file log/hybridauth.log under iTop directory | true or false |
synchronize_user | define if user provisionning is active | true or false |
synchronize_contact | define if contact provisionning is active, recommended if you have configured user provisionning | true or false |
default_organization | default organization used to create a contact | an iTop existing organization name |
default_profile | profile name given automatically at user creation | an iTop profile |
For each provider, you have to specify the application id configure on the provider side, and the secret for authentification
It should look as shown below:
Example of a working configuration:
- config-itop.php
-
'combodo-hybridauth' => array ( 'debug' => true, 'synchronize_user' => true, 'synchronize_contact' => true, 'default_organization' => 'demo', 'default_profile' => 'Portal User', 'providers' => array ( 'Google' => array ( 'enabled' => false, 'keys' => array ( 'id' => 'your-google-client-id', 'secret' => 'your-google-client-secret', ), ), 'GitHub' => array ( 'enabled' => true, 'keys' => array ( 'key' => 'd4fd111f7231068dbeff', 'secret' => '44b107f4700c9585f2193784a2c6ae4c5032abef', ), ), 'Twitter' => array ( 'enabled' => false, 'keys' => array ( 'key' => '...', 'secret' => '...', ), ), 'Facebook' => array ( 'enabled' => true, 'keys' => array ( 'id' => '525510544861103', 'secret' => 'd89c181ca9524e999fa54e24b4261ab2', ), ), 'MicrosoftGraph' => array ( 'enabled' => true, 'keys' => array ( 'id' => 'xxxx-xxxxx-xxxxx-xxxxx', 'secret' => 'xxxxxx', ), ), ), ),
Specific settings by provider (since version 1.2.1 N°4473)
Below options can be set globally for most OpenId providers. But you can also override them for a specific provider: default_organization, default_profile, synchronize_user, synchronize_contact
Example with Google here:
'combodo-hybridauth' => array ( 'debug' => false, 'synchronize_user' => false, 'synchronize_contact' => false, 'default_organization' => 'GlobalOrg', 'default_profile' => 'Configuration Manager', 'providers' => array ( 'Google' => array ( 'keys' => array ( 'id' => 'id', 'secret' => 'secret', ), 'enabled' => true, 'synchronize_user' => true, 'synchronize_contact' => true, 'default_profile' => 'PortalUser', 'default_organization' => 'IT Department', ), ), ),
Usage
If you don't use the automatic provisionning, you have to create in iTop SSO users using the type External user when prompted for a “New user Account”:
Once configured, the Login form will look like
Provisionning
If you activate the User/Person provisioning, here is what will be filled automatically with what the hybridauth provider returns (Not all data are provided by each provider)
-
Person fields provisioned regardless of the Provider:
first_name
,name
,email
,phone
,org_id
with the fixed value from the Configuration File -
User field provisioned:
login
,person_id
The rest of the fields got their default value.
If the iTop standard datamodel was changed by adding mandatory field without default value on User and/or Person, this can break the provisioning
Questions & Answers
Q: Can I mix OpenID Connect and a captcha?
A: Yes this is possible using the Combodo's customer extension
Brute Force Protection.
Q: What is Hybridauth, OpenID Connect and
OAuth2?
A:
-
Hybridauth is the PHP library used by iTop to run the OpenID Connect protocol
-
OpenID Connect is the 3rd version of the OpenID protocol, it uses OAuth2, it's a protocol used exclusively for Authentication and user provisionning
Q: Can we change the layout of the login page (name,
button,…)?
A: Since version 1.1.3 (inclued in iTop pro 3.1.1) this is possible
to customize the label, tooltip and icon on the buttons.
For example, in order to have this login screen :
in your configuration file, you have to add values hybridauth-Paw and hybridauth-Google in field allowed_login_types:
- config-itop.php
-
'allowed_login_types' => 'url|form|hybridauth-Paw|hybridauth-Google|external|basic',
And in module section theirs settings:
- config-itop.php
-
'combodo-hybridauth' => array ( 'debug' => false, 'synchronize_user' => false, 'synchronize_contact' => false, 'default_organization' => '', 'default_profile' => 'Portal User', 'providers' => array ( 'Paw' => array ( 'adapter' => 'Hybridauth\\Provider\\Google', 'label' => 'Login like a bear', 'tooltip' => 'Login with your paw', 'icon_url' => 'https://localhost/itop/images/logos/paw.png', 'enabled' => true, 'keys' => array ( 'id' => 'your-google-client-id1', 'secret' => 'your-google-client-secret1', ), ), 'Google' => array ( 'enabled' => true, 'keys' => array ( 'id' => 'your-google-client-id2', 'secret' => 'your-google-client-secret2', ), ), ), ),
In this case, the provider 'Paw' gives access to iTop with a Google account, but with a different secret than the provider 'Google'.