Sidebar

Combodo

iTop Extensions

Authentication with OpenID

name:
Combodo-hybridauth
description:
Connect to iTop using OpenID providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)
version:
1.2.0
release:
2023-11-28
itop-version-min:
2.7
state:
stable
php-version-max:
PHP 8.2 since version 1.2.1. PHP 8.0 otherwise

With this extension, users can connect to iTop using OpenID providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)

Features

Add capability to configure SSO authentication with most common OpenID Identity providers (Facebook, Google, Twitter, LinkedIn, MicrosoftGraph …)

  • It offers new authentication modes based on oAuth and OpenID Single Sign On (SSO) for the following OpenID providers:
  • Those modes can be mixed with other modes (internal, SAML …)
  • It is possible to configure several Identity providers if you want to allow access for instance to both Google and MicrosoftGraph
  • It relies on HybridAuth library library, which provides a unified interface to identify a user and retrieve contact information.
  • Some of those Identity providers are able to provide user information to allow automatic User and Person provisioning in iTop.
    Check the third column of the Providers table, it is required for automatic User/Person provisioning on User first connection.

Revision History

Version Release Date Comments
Not published 1.2.1 * N°7088 - Authentification OAUth2 with Keycloack
* N°6346 - combodo-hybridauth : update library for php 8.0 compatibility
* N°4473 - Add delegated authentication (OpenID) configuration GUI
2023-11-28 1.2.0 * N°6556 - Add possibility to customize display of login buttons
2023-07-13 1.1.2 * N°6509 - Remove tests folder from builds
2023-07-05 1.1.1 * N°6369 Fixing warnings when configuration is missing
* Updated german translations by Lars Kaltefleiter
2022-12-02 1.1.0 * Compatibility with iTop 3.0
2019-08-27 1.0.0 * First version

Limitations

There is no mapping capability for contact provisioning.

This capability may not work if you have changed the default datamodel

Requirements

You have to configure the iTop application on your Identity provider to allow communication between iTop and this one. Look at your Identity provider documentation for more details.

Installation

Use the Standard installation process for this extension.

Configuration

First, you have to configure the iTop provider on your identity provider (Google, Facebook …)

  • The iTop landing page to provide to your Identity provider is:
<itop url>/env-production/combodo-hybridauth/landing.php

Once iTop is configured,

  • open the file 'config-itop.php'
  • add to the allowed_login_types parameter, the corresponding provider in the form of hybridauth-<provider name>
config-itop.php
allowed_login_types => 'form|hybridauth-Facebook|hybridauth-Google|hybridauth-MicrosoftGraph|basic|external',
  • form must remain the first, for all the others to be proposed to the user.
  • If an hybridauth option is entered first, then the login page directly jump to the remote provider login page. basic must be left in the list for REST to still work.

The configuration is located in the section combodo-hybridauth. In the providers section you can configure several provider. The “enabled” flag allows to activate the corresponding authentication provider or not

parameters description values
debug active the logging mode. All logs are written in the file log/hybridauth.log under iTop directory true or false
synchronize_user define if user provisionning is active true or false
synchronize_contact define if contact provisionning is active, recommended if you have configured user provisionning true or false
default_organization default organization used to create a contact an iTop existing organization name
default_profile profile name given automatically at user creation an iTop profile

For each provider, you have to specify the application id configure on the provider side, and the secret for authentification

It should look as shown below:

Example of a working configuration:

config-itop.php
'combodo-hybridauth' => array (
    'debug' => true,
    'synchronize_user' => true,
    'synchronize_contact' => true,
    'default_organization' => 'demo',
    'default_profile' => 'Portal User',
    'providers' => array (
      'Google' =>
      array (
        'enabled' => false,
        'keys' =>
        array (
          'id' => 'your-google-client-id',
          'secret' => 'your-google-client-secret',
        ),
      ),
      'GitHub' =>
      array (
        'enabled' => true,
        'keys' =>
        array (
          'key' => 'd4fd111f7231068dbeff',
          'secret' => '44b107f4700c9585f2193784a2c6ae4c5032abef',
        ),
      ),
      'Twitter' =>
      array (
        'enabled' => false,
        'keys' =>
        array (
          'key' => '...',
          'secret' => '...',
        ),
      ),
      'Facebook' =>
      array (
        'enabled' => true,
        'keys' =>
        array (
          'id' => '525510544861103',
          'secret' => 'd89c181ca9524e999fa54e24b4261ab2',
        ),
      ),
      'MicrosoftGraph' => 
        array (
            'enabled' => true,
            'keys' => 
                    array (
                      'key' => 'xxxx-xxxxx-xxxxx-xxxxx',
                      'secret' => 'xxxxxx',
          ),
       ),
   ),
),

Specific settings by provider (since version 1.2.1 N°4473)

Below options can be set globally for most OpenId providers. But you can also override them for a specific provider: default_organization, default_profile, synchronize_user, synchronize_contact

Example with Google here:

      'combodo-hybridauth' => array (
                'debug' => false,
                'synchronize_user' => false,
                'synchronize_contact' => false,
                'default_organization' => 'GlobalOrg',
                'default_profile' => 'Configuration Manager',
                'providers' => array (
                  'Google' => 
                  array (
                    'keys' => 
                    array (
                      'id' => 'id',
                      'secret' => 'secret',
                    ),
                    'enabled' => true,
                    'synchronize_user' => true,
                    'synchronize_contact' => true,
                    'default_profile' => 'PortalUser',
                    'default_organization' => 'IT Department',
                  ),
                ),
        ),

Usage

If you don't use the automatic provisionning, you have to create in iTop SSO users using the type External user when prompted for a “New user Account”:

Once configured, the Login form will look like

Provisionning

If you activate the User/Person provisioning, here is what will be filled automatically with what the hybridauth provider returns (Not all data are provided by each provider)

  • Person fields provisioned regardless of the Provider: first_name, name, email, phone, org_id with the fixed value from the Configuration File
  • User field provisioned: login, person_id

The rest of the fields got their default value.

If the iTop standard datamodel was changed by adding mandatory field without default value on User and/or Person, this can break the provisioning

Questions & Answers

Q: Can I mix OpenID Connect and a captcha?
A: Yes this is possible using the Combodo's customer extension Brute Force Protection.

Q: What is Hybridauth, OpenID Connect and OAuth2?
A:

  • Hybridauth is the PHP library used by iTop to run the OpenID Connect protocol
  • OpenID Connect is the 3rd version of the OpenID protocol, it uses OAuth2, it's a protocol used exclusively for Authentication and user provisionning

More info in french

Q: Can we change the layout of the login page (name, button,…)?
A: Since version 1.1.3 (inclued in iTop pro 3.1.1) this is possible to customize the label, tooltip and icon on the buttons.

For example, in order to have this login screen :

in your configuration file, you have to add values hybridauth-Paw and hybridauth-Google in field allowed_login_types:

config-itop.php
'allowed_login_types' => 'url|form|hybridauth-Paw|hybridauth-Google|external|basic',

And in module section theirs settings:

config-itop.php
'combodo-hybridauth' => array (
        'debug' => false,
        'synchronize_user' => false,
        'synchronize_contact' => false,
        'default_organization' => '',
        'default_profile' => 'Portal User',
        'providers' => array (
          'Paw' => 
                array (
                  'adapter' => 'Hybridauth\\Provider\\Google',
                  'label' => 'Login like a bear',
                  'tooltip' => 'Login with your paw',
                  'icon_url' => 'https://localhost/itop/images/logos/paw.png',
                  'enabled' => true,
                  'keys' => 
                  array (
                    'id' => 'your-google-client-id1',
                    'secret' => 'your-google-client-secret1',
                  ),
          ),
          'Google' => 
                array (
                  'enabled' => true,
                  'keys' => 
                  array (
                    'id' => 'your-google-client-id2',
                    'secret' => 'your-google-client-secret2',
                  ),
                ),
        ),
),

In this case, the provider 'Paw' gives access to iTop with a Google account, but with a different secret than the provider 'Google'.

extensions/combodo-hybridauth.txt · Last modified: 2024/02/15 11:14 (external edit)
Back to top
Contact us