Derrick Smith Header Image

GLPI IT Service Management Single Sign On using SAML

As an IT Director, I spend most of my time referencing information found inside the IT Service Management (ITSM) system and one of the better open source ITSM tools in the marketplace is GLPI. The feature set is massive and I’ve used this tool on and off for the last decade for IT inventory and helpdesk. On the security side, Single Sign On is paramount for authentication consistency and I tend to use SAML in most applications.

GLPI comes with several authentication options, including CAS, but it doesn’t include a way to authenticate users through SAML. As you may know, “Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).” (Varonis) In our case GLPI is the SAML service provider and any number of SAML identity providers (Azure AD, ADFS, Okta, One login, Google IdP) can be used to authenticate users.

The good news is that GLPI has a plugin API that can be used to augment the software with additional features. Having worked with GLPI previously on my Nagios Event Handlers project, I was ready to dig in and create the functionality. Using the API.

The plugin relies on OneLogin’s SAML PHP Toolkit, which is a PHP library that helps web developers create a SAML Service Provider in existing PHP software. The plugin stores the SAML configuration in the database and the software takes several inputs that I mapped to fields in the plugin setup.

GLPI Plugin Settings

You can find the plugin at the GLPI Plugins website or at my repo on github. Please submit any bugs or feature requests to the github repo. If you found this plugin helpful, please leave a comment below.


  1. shane

    just wondering what the metadata url would be

  2. michael L

    hi, thx for you script.
    unfortunally, he did’nt work for me.

    Details :
    Webserver mutualised server, SSL “let’s encrypt”.
    Azure P1

    IN AAD :
    Activate single auth SAML, put :
    Entity ID :
    assertion URL :

    Source attribut (name identifier) :
    Email address : user.userprinpalname

    Coping all the parameter into my gpli :
    Connection url
    disconnect url
    downloading my base64 certificat

    IN GLPI :
    open with blocnote, past to my glpi into x509 certificate
    past the parameter login/disconnect/AAD ID

    when i try to login, if i don’t put user or group, microsoft say NO, need one at less, so i do that.
    When i try to login with an user (or a user un security group), the login page put me back to : and she is blank.

    my first question :
    did SP Certificate is absolutly necessary ?

    Waiting for your answer.

  3. Amritanshu


    I would like your assistance for configuring GLPI with SAML on KeyCloak SSO. I am able to access the redirect to SSO but always get “Invalid SAML Response” from GLPI.


    1. Derrick

      Difficult to know without seeing the logs or SAML trace. You can install the SAML Tracer extension in Firefox to obtain additional SAML logs. Also if you have set Strict to “Yes” then certificates must be fully validated.

  4. Juan Cruz, Martinez Luquez

    Hello Derrik, first of all, many thanks for this plugin.
    I wonder if you can help me to configure it with Google SAML. Im the admin of both GLPI ans GSuite but I can not find de URL ACS and ID I must provide to Google.
    Many thanks in advance.

    1. Derrick

      The Entity ID will be your glpi base url. (e.g. The ACS url is {Your GLPI web server base URL}/plugins/phpsaml/front/acs.php

  5. Ricardo Campos Passanezi

    Hello Derrik, I’m trying to use your plugin. And I have to apologize at first because of my ignorance: I turned the debug on but I cannot find where the debugs are being sent to.

    Ou corporate account are Google (Oauth2 and SAML are available) but I’m not responsible for generating the IdP conf. I’ve received the info from the staff that takes care of it.

    Anyway, thanks for the plugin. It’s very nice and will be very useful.


    1. Derrick

      Debug sends errors to the php-error file in the GLPI logs folder.

Leave a Reply

Your email address will not be published. Required fields are marked *