[Guide Request] -- GLPI Single Sign On with Keycloak

[casetofon2]

Hello!

First of all ! Mr. Edgar thank GOD you made this plugin ! ( I found it a couple of days ago and have been playing with it since).
Second of all : Given my limited coding knowledge I attempted to setup SSO with your Plugin and Keycloak 26.1 version.

This is how far I got on my own with help from GhatCPT and SeepDeek. ( pun intended ).

Mappers ( I think are correct?) I setup a mapper in Keycloak for the glpi-dedicated with userID for the ( userID="null") and username ( for the sAMAccountName LDAP Attribute).

LDAP Connection Correct.

Tested login on the http://keycloak-Server/realm/ExampleRealm/account .
Login here works normally.

However :

If I attempt to do SSO , well, I get invalid username and password.

The credentials are correct, what bothers me specifically is the userId="null" field.
Together with GhatCPT , I've disected every angle suggested by ChatGPT and we came down to this conclusion :

Keycloak is receiving BAD requests from the GLPI SSO Plugin ?
Anyone got any input ?

in the developer tools of the web browser : it states after I push the test single sign on : Error 400 BAD REQUEST.

But I think I'm too dumb, even with GhatCPT to figure out where the "boo-boo" is.

Any help is apreciated!

I'm also attaching a screenshot of the SSO Plugin Configuration in case it would help

[eduardomozart]

Hello @casetofon2,
I pretend to implement Keycloack internally to do some tests with custom SSO providers into the future, but as I don't have it implemented yet, it will be difficult for us (plugin developers) to help as we don't have Keycloack knowledge to help you.
But here's some tips that may help you to troubleshoot this issue:
First, take a look at the Wiki page: https://github.com/edgardmessias/glpi-singlesignon/wiki/How-this-plug%E2%80%90in-works-(internals) It contains some internals on how this plugin works internally and may help you dig into the code to figure out the issue. The plugin requires a successful login of the SSO user to retrieve the Access Token that is used to retrieve additional user metadata (e.g. surname, email) to use for login. It's pretty OAuth standard and should not require userID or any additional field to the Authorize URL for this to work.
Where does this "invalid username and password" is shown? Is into GLPI UI or into the Keycloack provider itself? If it's into Keycloack, you'll need to troubleshoot the issue there. Please send to us the URL of the browser you're using to successfully authenticate into your Keycloack provider and the one which is not working (I believe it's the "Authorize URL"). Also make sure that the Callback URL of the plug-in is configured as an allowed URL to redirect on Keycloack (not sure if it requires it, but it's a requirement for Azure AD).
Also take a look at https://github.com/edgardmessias/glpi-singlesignon/wiki/Plugin-Provider-Options which explains some of the plugin fields (it seems that you have some doubts about what some of them do).

[casetofon2]

Hello @casetofon2, I pretend to implement Keycloack internally to do some tests with custom SSO providers into the future, but as I don't have it implemented yet, it will be difficult for us (plugin developers) to help as we don't have Keycloack knowledge to help you. But here's some tips that may help you to troubleshoot this issue: First, take a look at the Wiki page: https://github.com/edgardmessias/glpi-singlesignon/wiki/How-this-plug%E2%80%90in-works-(internals) It contains some internals on how this plugin works internally and may help you dig into the code to figure out the issue. The plugin requires a successful login of the SSO user to retrieve the Access Token that is used to retrieve additional user metadata (e.g. surname, email) to use for login. It's pretty OAuth standard and should not require userID or any additional field to the Authorize URL for this to work. Where does this "invalid username and password" is shown? Is into GLPI UI or into the Keycloack provider itself? If it's into Keycloack, you'll need to troubleshoot the issue there. Please send to us the URL of the browser you're using to successfully authenticate into your Keycloack provider and the one which is not working (I believe it's the "Authorize URL"). Also make sure that the Callback URL of the plug-in is configured as an allowed URL to redirect on Keycloack (not sure if it requires it, but it's a requirement for Azure AD). Also take a look at https://github.com/edgardmessias/glpi-singlesignon/wiki/Plugin-Provider-Options which explains some of the plugin fields (it seems that you have some doubts about what some of them do).

Hello Eduardo !

Thank you for the reply !

I've taken a look in to the callback.php file as well ( not 100% sure) but it would seem that the function that takes the current loginID isn't sent correctly to keycloak.

Theoretically, that should be the field value that is sent in to the userID that keycloak would require. I'm not a coder so maybe I'm just talking non-sense ( please correct me if I do).

In regards to the issue with the userID=null, I have attempted everything from mapper creation to setting the Plugin to use e-mail as login and then create a mapper on the Keycloak Side to convert that email in to userID as it would need it to be with no luck.

For the callbackURL I have also discovered that if I input on the keycloakside the callback.php/provider/* ( is able to be interpreted by Keycloak as any number from what I'm seeing) both callback.php/provider/1 and callback.php/provider/* send requests to Keycloak as needed.

If I go manually to the /realms/CompanyRealm/account page on the Keycloak side I can log in normally with my AD users with no difficulty whatsoever.

My non-coder best guess is that I'm either not smart enough or I don't know enough about coding to figure out where the userID=null is being pulled from and sent to keycloak.

I'm pasting a keycloak sso login attempt here ( and will redact company information). Maybe you see something I don't.

2025-02-09 20:05:39,384 WARN [org.keycloak.events] (executor-thread-1) type="LOGIN_ERROR", realmId="REALM-ID", realmName="CONTOSO", clientId="glpi", userId="null", ipAddress="Client_IP", error="invalid_user_credentials", auth_method="openid-connect", auth_type="code", response_type="code", redirect_uri="http://glpi.contoso.com/marketplace/singlesignon/front/callback.php/provider/1", code_id="8dee7209-fbdd-4d17-89a0-bca0ee268ecd", response_mode="query"
2025-02-09 20:06:37,155 INFO [com.arjuna.ats.jbossatx] (Shutdown thread) ARJUNA032014: Stopping transaction recovery manager
2025-02-09 20:06:37,395 INFO [io.quarkus] (Shutdown thread) Keycloak stopped in 0.260s