Connexion not possible with WSO2 Identity Server

[Ketchup31]

Hi,

I am trying since few days to setup an SSO for my GLPI instance, but no success.

1. Login with SSO
2. WSO2 login form is displayed
3. consent for scope is displayed (I select all and confirm)
4. Then the GLPI page appears saying that teh user is not allowed to connect to GLPI.

Is it possible to activate detailed log to help the debugging in order to see all exchanges between the IDP and the plugin? If yes how and where are the log files (in /_log)
Do I need to setup specifics claims in my IDP? if yes can you advise me which ones?

Thank you for your support.

Best regards.
Pascal

Configuration are hereunder:
for GLPI:

for the plugin:

STEP 1

STEP 2

STEP 3

STEP 4
The messages say:
Warning: No data available on site /var/www/html/glpi/src/Toolbox.php on line 1427
User not allowed to connect to GLPI

[edgardmessias]

In the config page you can use the test button, that will display detailed information about the login.

The second thing is: You must have a GLPI user with the same login or email

[Ketchup31]

Dear Edgar,

Thank you for your quick response.

I cannot use the test button as I am behind a reverse proxy and in that case the $url value is set with the port used by the reverse proxy (8004) and not the 443 use to reach GLPI from a public IP (via Internet).

So to have an idea about my implementation:

From  Internet                              Reverse proxy                   SingleSignOn plugin
https://<myURL>  ======================> http://<myURL>:8004  ===============>  <myURL>:8004

So when I click on the test button I get an error message saying that there is a mismatch between the callback url declared in my IDP which is https://<myURL>/plugins/singlesignon/front/callback.php/provider/1 and the plugin which is
https://<myURL>/plugins/singlesignon/front/callback.php/provider/1/test/1
In order to have the plugin working for me I have commented the following lines in provider.class.php file.

      if ($port != "80" && $port != "443") {
         $baseURL .= ":" . $_SERVER["SERVER_PORT"];
      }

I have a user already created in GLPI with the same login and email.

Any idea to make the test button working for me?
What values can I set in field "Extra Options" ?

Thank you.

[Mr-EJ]

The test callback uri is different from the production callback uri
you need to add the test callback uri "/test/1" to the IDP for the test to succeed

[eduardomozart]

Hello @Ketchup31,
You can change the value of debug variable to true on inc/provider.class.php so the plug-in will provide extra info during login if it fails. Also, the plug-in has been recently updated to show the error message from provider if it was set (at least for Office 365/Azure AD).
Also, your issue with a reverse proxy has been fixed. Now the plug-in will honor the "Application URL" setting in General > Setup.
You need to setup "Callback URL" available on your plug-in provider setting into your provider, as seen below:

Here's my working Microsoft 365 Admin Center config:

There's no need to add "/test/1" if you do not intend to use the "Test" function and even if you do it works just fine without it (at least for Office 365).
If your issue persists, please share your php-errors.log and sql-errors.log file, enable the debug variable and make sure to use the plug-in from master branch instead of the Releases page, and make sure that you're using the latest GLPI version.