Feature Request: SAML based authentication #6600
Comments
eldy
changed the title
|
Is some working on it ? I can do an investigation but to be more efficient (avoid code retro engineering) I'd like to have the approach used by LDAP (how the user are created, updated .... ), is it available somewhere ? Br |
|
It seems that there is some SAML-php library already developed, few example: br |
|
I started with php-saml because it is a lot simpler to handle then simpleSAML :/~https://github.com/delcroip/dolibarr/tree/SAML |
|
@delcroip Don't worry about the SAML config, it will be easily done by people used to SAML. It's not for end user or IT wannabe. It's a feature usable by companies focused on IT security. For information, if you've Office 365 for business or Google Suite, you've a SAML service built-in. SAML setup is just a matter of:
SAML is made for on-flight provisioning. If you also want to implement modern pre-flight provisioning, you must use SCIM, not SAML. But SCIM is less used, just-in-time account creation seems to be more interesting when using cloud service. |
|
Hi there, I would like to know If you have gone further with SAML2 integration in Dolibarr? I'm very interested in. Lots of web based application have it nowadays. |
|
I didn't work a lot on it because the auth part of dolibarr need to be reworked (there is no clear segregation of the code between the different methods) and it will be difficult to do the regression test. |
|
Dear All, Any update on this? this feature is required for bigger organizations if they want to adopt this beautiful software. |
Even for mid and small organizations who are using cloud service providers for authentication |
|
I'm digging out this Feature Request. Had anyone a look at https://dev.epitanime.com/technique/dolibarr-saml/ ? |
github-actions
bot
added
the
Issue Stale (automatic label)
|
Still wanted. |
github-actions
bot
removed
the
Issue Stale (automatic label)
|
Still needed indeed. And one of the main reason why I've stopped using Dolibarr |
|
It is still needed. |
|
+1 |
|
lets give it a thumbs up on the first post |
Hi, I'm the author of SAML2 from Epitanime. It work in production since many years. Maybe I can finish it. I didn't do a PR before they are a lot of hard coded variables. You can't change SAML settings from admin portal. For Epitanime association, the production is in version 12.0.1 and SAML was tested with SimpleSAMLphp and Okta. It may also work with Office365 and others SAML2 providers. I didn't know SAML2 was important for other users. When I finished this module, it will be free and open source on dolistore. Best regards, |
I have to install an LDAP in all my client systems only because of Dolibarr (Keycloak allow a sync between its database and an LDAP server) so yes, SAML (and OAuth) are big needs for me xD Thanks for your work anyway :) |
|
@battosai30 can keycloak connect to azureAD? |
|
@bontiv please send a PR as draft as soon as possible! We can start without UI and go from there |
|
@bontiv I just realized that you have a module. |
|
@bontiv I tried to register on your gitlab instance but can not get the login to work. |
|
I've move the source code into Github : Dolibarr SAML Module IDs are also in common range of > 500000. It may re-use ID of another experimental module. |
|
I'll try it out in the following few months. Thanks a lot for sharing it! |
|
@bontiv do you run the SAML auth on a current dolibarr? Any ideas? |
|
Hi, OpenID Connect is compliant with AzureAD, Okta, Auth0, Facebook, Twitter, Google and on premise solutions like ADFS, lemonldap, keycloak, etc.. I use AzureAD in my company. I'm also trying to get Dolibarr REST API working with Azure oAuth 2 tokens. Best regards, |
|
SAML is still going strong in corporate networks but I am with you that OpenID is a lot "better". What is your planning and progress with openid? |
|
My two cents on this: OpenID Connect is way more suited when we talk about federations for public services such as Twitter authenticated with Google.
SAML is the protocol more suited for Enterprise use. Especially in term of privilege management, context of use, on demand re-auth, etc.
I don’t use Dolibarr anymore and don’t think I will in a short futur.
But SAML is the way to go for an ERP. Not OIDC.
And SAML is compatible with any market provider.
Yoann
… Le 4 août 2022 à 09:53, Remi BONNET ***@***.***> a écrit :
Hi,
I'm not working on SAML anymore. I think this protocol is too old and take too many time to authenticate users.
I'm working on more general OpenID Connect solution.
OpenID Connect is compliant with AzureAD, Okta, Auth0, Facebook, Twitter, Google and on premise solutions like ADFS, lemonldap, keycloak, etc..
I use AzureAD in my company. I'm also trying to get Dolibarr REST API working with Azure oAuth 2 tokens.
Best regards,
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.
|
|
I will go for the SAML approach now. We run authentik and it's a beast. |
|
Hi. |
|
This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. This issue may be closed automatically by stale bot in 10 days (you should still be able to re-open it if required). |
github-actions
bot
added
the
Issue Stale (automatic label)
Hi, |
github-actions
bot
removed
the
Issue Stale (automatic label)
|
@Thulkash I did get openid sso #22740 to work with authentik. But we do not use it because direct links to anything within dolibarr will be lost in the sso login process. |
Feature Request
Directory Service is dead, long live Directory Service!
Last RFC for LDAP was published in 1997. Few things has changed since this time… No one is stuck in an office nowadays, every single company want to be mobile.
Dolibarr is a web based application, this is a good start for the current world. However, user managed is local (no one will ever use a per app user database in SMB) or LDAP based (and no one use LDAP based app for modern IT infrastructure).
LDAP has been supplanted by SAML in 2017. It was a trend for a while but now it's the common standard.
Dolibarr need to review the user management and start support SAML.
SAML is based on third part identity provider and you can find a lot of them. Office 365 and Azure AD can be one, but also OneLogin, JumpCloud, VMware Identity Manager, Centrify, Google, etc.
Use case
IT (and more over end customer) want to use SAML to allow a centralized identity management without any kind of security issue linked to third part provided accessing a clear text password. Like LDAP in the past, this will save time regarding user management, will improve security by allowing central user creation and deactivation, and will also offer improved security layers for free.
Third part developer like Dolibarr just have to implement the SAML system once to support all provider (no need of distinction between AD, OpenLDAP, eDirectory, etc.) and all kind of security level.
For example, the SAML Identity Provider can decide to enforce 2 factor authentication depending of the current device accessing Dolibarr, without anything additional code on Dolibarr side.
If you need sample directory, take a look at JumpCloud free account.
The text was updated successfully, but these errors were encountered: