How to provision and authenticate GLPI users with Azure AD using SCIM and Oauth SSO
In the fast-paced world of technology, managing user identities across multiple platforms can be a daunting task. Imagine a typical day at work, where you’re juggling access to a myriad of systems – from email and intranet to various tools like GLPI, ERP, and CRM. Each time your role changes, or you update your profile – or some other user’s does on theirs – someone from the IT department is burdened with the tedious task of manually updating these details in every system. Not to mention the need of managing multiple passwords for the vast diversity of systems you use on a daily basis. This method is not only time-consuming but also riddled with potential errors.
Now, think of SCIM – or System for Cross-domain Identity Management – as a versatile “translator”, a proactive “messenger”, or an efficient “negotiator” in the digital realm, that streamlines communication between different systems. Instead of someone having to manually go to each system to update your information, SCIM automates this process. When there’s a change in a user’s information, SCIM automatically spreads these updates to all connected systems.
So, SCIM helps companies to efficiently manage user identity information across various systems, saving time, reducing errors, and enhancing security. It’s like having an assistant ensuring that all your information is consistent everywhere, without the need for constant manual intervention.
The SCIM Plugin is different from OAuth
It’s common to mistake OAuth capabilities for data synchronization, especially in GLPI instances and User and Groups Directories. While OAuth does provide centralized and secure access permissions, SCIM and OAuth serve distinct purposes, despite their apparent similarities.
Both plugins, when integrated with other credential systems, facilitate access without risking exposure to LDAP infrastructures or complex VPN setups — a critical advantage, mainly for GLPI Cloud Network users connected to Azure Active Directory (Microsoft Entra ID).
SCIM plugin simplifies the management of user information, and depending on the provider, also credentials. Attributes like name, email, roles, and contact information are part of its scope of management and synchronization. It standardizes the way identity information is exchanged between identity providers and service providers without excessive exposition of applications and using secured and trackable API channels between services.
One great use case is to have users using their Azure Active Directory (Microsoft Entra ID) information on a GLPI instance. In addition to OAuthSSO plugin, the credentials are also the same — and the users don’t need to authenticate again if they are already connected to their browsers.
For GLPI Cloud Network customers and those with a GLPI Network Basic (or higher) subscription in an on-premises environment, these plugins offer an unprecedented level of convenience and security in identity management.
Useful links
How to set up the SCIM plugin with Azure Portal
How to set up the SCIM plugin with Okta
How to set up the OAuth plugin to log in to GLPI using Microsoft 365 credentials