Authentication with OpenID
- Connect to iTop using OpenID providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)
- PHP 8.1
With this extension, users can connect to iTop using OpenID providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)
Add capability to configure SSO authentication with most common OpenID Identity providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)
It offers new authentication modes based on oAuth and OpenID Single Sign On (SSO) for the following OpenID providers:
Those modes can be mixed with other modes (internal, SAML …)
It is possible to configure several Identity providers if you want to allow access for instance to both Google and MicrosoftGraph
It relies on HybridAuth library library, which provides a unified interface to identify a user and retrieve contact information.
Some of those Identity providers are able to provide user information to allow automatic User and Person provisioning in iTop.
Check the third column of the Providers table, it is required for automatic User/Person provisioning on User first connection.
|1.1.0||2022-12-02||Compatibility with iTop 3.0|
There is no mapping capability for contact provisioning.
This capability may not work if you have changed the default datamodel
You have to configure the iTop application on your Identity provider to allow communication between iTop and this one. Look at your Identity provider documentation for more details.
Use the Standard installation process for this extension.
First, you have to configure the iTop provider on your identity provider (Google, Facebook …)
The iTop landing page to provide to your Identity provider is:
Once iTop is configured,
open the file 'config-itop.php'
add to the
allowed_login_typesparameter, the corresponding provider in the form of hybridauth-<provider name>
allowed_login_types => 'form|hybridauth-Facebook|hybridauth-Google|hybridauth-MicrosoftGraph|basic|external',
formmust remain the first, for all the others to be proposed to the user.
If an hybridauth option is entered first, then the login page directly jump to the remote provider login page.
basicmust be left in the list for REST to still work.
The configuration is located in the section
combodo-hybridauth. In the providers section you can
configure several provider. The “enabled” flag allows to activate
the corresponding authentication provider or not
|debug||active the logging mode. All logs are written in the file log/hybridauth.log under iTop directory||true or false|
|synchronize_user||define if user provisionning is active||true or false|
|synchronize_contact||define if contact provisionning is active, recommended if you have configured user provisionning||true or false|
|default_organization||default organization used to create a contact||an iTop existing organization name|
|default_profile||profile name given automatically at user creation||an iTop profile|
For each provider, you have to specify the application id configure on the provider side, and the secret for authentification
It should look as shown below:
Example of a working configuration:
'combodo-hybridauth' => array ( 'debug' => true, 'synchronize_user' => true, 'synchronize_contact' => true, 'default_organization' => 'demo', 'default_profile' => 'Portal User', 'providers' => array ( 'Google' => array ( 'enabled' => false, 'keys' => array ( 'id' => 'your-google-client-id', 'secret' => 'your-google-client-secret', ), ), 'GitHub' => array ( 'enabled' => true, 'keys' => array ( 'key' => 'd4fd111f7231068dbeff', 'secret' => '44b107f4700c9585f2193784a2c6ae4c5032abef', ), ), 'Twitter' => array ( 'enabled' => false, 'keys' => array ( 'key' => '...', 'secret' => '...', ), ), 'Facebook' => array ( 'enabled' => true, 'keys' => array ( 'id' => '525510544861103', 'secret' => 'd89c181ca9524e999fa54e24b4261ab2', ), ), 'MicrosoftGraph' => array ( 'enabled' => true, 'keys' => array ( 'key' => 'xxxx-xxxxx-xxxxx-xxxxx', 'secret' => 'xxxxxx', ), ), ), ),
If you don't use the automatic provisionning, you have to create in iTop SSO users using the type External user when prompted for a “New user Account”:
Once configured, the Login form will look like
If you activate the User/Person provisioning, here is what will be filled automatically with what the hybridauth provider returns (Not all data are provided by each provider)
Person fields provisioned regardless of the Provider:
org_idwith the fixed value from the Configuration File
User field provisioned:
The rest of the fields got their default value.
If the iTop standard datamodel was changed by adding mandatory field without default value on User and/or Person, this can break the provisioning
Questions & Answers
Q: Can I mix OpenID Connect and a captcha?
A: Yes this is possible using the Combodo's customer extension Brute Force Protection.
Q: What is Hybridauth, OpenID Connect and
Hybridauth is the PHP library used by iTop to run the OpenID Connect protocol
OpenID Connect is the 3rd version of the OpenID protocol, it uses OAuth2, it's a protocol used exclusively for Authentication and user provisionning
Q: Can we change the layout of the login page (name,
A: This is possible for developers. for more details…