iTop Extensions

Authentication with OpenID

Connect to iTop using OpenID providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)
PHP 8.1

With this extension, users can connect to iTop using OpenID providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)


Add capability to configure SSO authentication with most common OpenID Identity providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)

  • It offers new authentication modes based on oAuth and OpenID Single Sign On (SSO) for the following OpenID providers:
  • Those modes can be mixed with other modes (internal, SAML …)
  • It is possible to configure several Identity providers if you want to allow access for instance to both Google and MicrosoftGraph
  • It relies on HybridAuth library library, which provides a unified interface to identify a user and retrieve contact information.
  • Some of those Identity providers are able to provide user information to allow automatic User and Person provisioning in iTop.
    Check the third column of the Providers table, it is required for automatic User/Person provisioning on User first connection.

Revision History

Version Release Date Comments
1.1.0 2022-12-02 Compatibility with iTop 3.0
1.0.0 2019-08-27 First version


There is no mapping capability for contact provisioning.

This capability may not work if you have changed the default datamodel


You have to configure the iTop application on your Identity provider to allow communication between iTop and this one. Look at your Identity provider documentation for more details.


Use the Standard installation process for this extension.


First, you have to configure the iTop provider on your identity provider (Google, Facebook …)

  • The iTop landing page to provide to your Identity provider is:
<itop url>/env-production/combodo-hybridauth/landing.php

Once iTop is configured,

  • open the file 'config-itop.php'
  • add to the allowed_login_types parameter, the corresponding provider in the form of hybridauth-<provider name>
allowed_login_types => 'form|hybridauth-Facebook|hybridauth-Google|hybridauth-MicrosoftGraph|basic|external',
  • form must remain the first, for all the others to be proposed to the user.
  • If an hybridauth option is entered first, then the login page directly jump to the remote provider login page. basic must be left in the list for REST to still work.

The configuration is located in the section combodo-hybridauth. In the providers section you can configure several provider. The “enabled” flag allows to activate the corresponding authentication provider or not

parameters description values
debug active the logging mode. All logs are written in the file log/hybridauth.log under iTop directory true or false
synchronize_user define if user provisionning is active true or false
synchronize_contact define if contact provisionning is active, recommended if you have configured user provisionning true or false
default_organization default organization used to create a contact an iTop existing organization name
default_profile profile name given automatically at user creation an iTop profile

For each provider, you have to specify the application id configure on the provider side, and the secret for authentification

It should look as shown below:

Example of a working configuration:

'combodo-hybridauth' => array (
    'debug' => true,
    'synchronize_user' => true,
    'synchronize_contact' => true,
    'default_organization' => 'demo',
    'default_profile' => 'Portal User',
    'providers' => array (
      'Google' =>
      array (
        'enabled' => false,
        'keys' =>
        array (
          'id' => 'your-google-client-id',
          'secret' => 'your-google-client-secret',
      'GitHub' =>
      array (
        'enabled' => true,
        'keys' =>
        array (
          'key' => 'd4fd111f7231068dbeff',
          'secret' => '44b107f4700c9585f2193784a2c6ae4c5032abef',
      'Twitter' =>
      array (
        'enabled' => false,
        'keys' =>
        array (
          'key' => '...',
          'secret' => '...',
      'Facebook' =>
      array (
        'enabled' => true,
        'keys' =>
        array (
          'id' => '525510544861103',
          'secret' => 'd89c181ca9524e999fa54e24b4261ab2',
      'MicrosoftGraph' => 
        array (
            'enabled' => true,
            'keys' => 
                    array (
                      'key' => 'xxxx-xxxxx-xxxxx-xxxxx',
                      'secret' => 'xxxxxx',


If you don't use the automatic provisionning, you have to create in iTop SSO users using the type External user when prompted for a “New user Account”:

Once configured, the Login form will look like


If you activate the User/Person provisioning, here is what will be filled automatically with what the hybridauth provider returns (Not all data are provided by each provider)

  • Person fields provisioned regardless of the Provider: first_name, name, email, phone, org_id with the fixed value from the Configuration File
  • User field provisioned: login, person_id

The rest of the fields got their default value.

If the iTop standard datamodel was changed by adding mandatory field without default value on User and/or Person, this can break the provisioning

Questions & Answers

Q: Can I mix OpenID Connect and a captcha?
A: Yes this is possible using the Combodo's customer extension Brute Force Protection.

Q: What is Hybridauth, OpenID Connect and OAuth2?

  • Hybridauth is the PHP library used by iTop to run the OpenID Connect protocol
  • OpenID Connect is the 3rd version of the OpenID protocol, it uses OAuth2, it's a protocol used exclusively for Authentication and user provisionning

More info in french

Q: Can we change the layout of the login page (name, button,…)?
A: This is possible for developers. FIXME for more details…

extensions/combodo-hybridauth.txt · Last modified: 2023/05/16 18:36 (external edit)
Back to top
Contact us