Directory Service is dead, long live Directory Service!
Last RFC for LDAP was published in 1997. Few things has changed since this time… No one is stuck in an office nowadays, every single company want to be mobile.
Dolibarr is a web based application, this is a good start for the current world. However, user managed is local (no one will ever use a per app user database in SMB) or LDAP based (and no one use LDAP based app for modern IT infrastructure).
LDAP has been supplanted by SAML in 2017. It was a trend for a while but now it's the common standard.
Dolibarr need to review the user management and start support SAML.
SAML is based on third part identity provider and you can find a lot of them. Office 365 and Azure AD can be one, but also OneLogin, JumpCloud, VMware Identity Manager, Centrify, Google, etc.
IT (and more over end customer) want to use SAML to allow a centralized identity management without any kind of security issue linked to third part provided accessing a clear text password. Like LDAP in the past, this will save time regarding user management, will improve security by allowing central user creation and deactivation, and will also offer improved security layers for free.
Third part developer like Dolibarr just have to implement the SAML system once to support all provider (no need of distinction between AD, OpenLDAP, eDirectory, etc.) and all kind of security level.
For example, the SAML Identity Provider can decide to enforce 2 factor authentication depending of the current device accessing Dolibarr, without anything additional code on Dolibarr side.
If you need sample directory, take a look at JumpCloud free account.
Is some working on it ? I can do an investigation but to be more efficient (avoid code retro engineering) I'd like to have the approach used by LDAP (how the user are created, updated .... ), is it available somewhere ?
Br
It seems that there is some SAML-php library already developed, few example:
https://simplesamlphp.org
https://github.com/onelogin/php-saml
br
I started with php-saml because it is a lot simpler to handle then simpleSAML :https://github.com/delcroip/dolibarr/tree/SAML
Actually it seems not dificulte to integrate but the config will be tough and I am no sure it will be accessible to Dolibarr users.
There is also the question of user provisioning, should I expect to have match between one of the SAML attribute and the userID or should I create the user based on the SAML attibutes (meaning that we best have the user group also in the SAML attributes to be able to assign some right after his first login or all users will have to start with default rights that could be change later on in Dolibarr)
@delcroip Don't worry about the SAML config, it will be easily done by people used to SAML. It's not for end user or IT wannabe. It's a feature usable by companies focused on IT security.
For information, if you've Office 365 for business or Google Suite, you've a SAML service built-in.
SAML setup is just a matter of:
SAML is made for on-flight provisioning.
If you also want to implement modern pre-flight provisioning, you must use SCIM, not SAML.
But SCIM is less used, just-in-time account creation seems to be more interesting when using cloud service.
Hi there,
I would like to know If you have gone further with SAML2 integration in Dolibarr? I'm very interested in. Lots of web based application have it nowadays.
I didn't work a lot on it because the auth part of dolibarr need to be reworked (there is no clear segregation of the code between the different methods) and it will be difficult to do the regression test.
Dear All, Any update on this? this feature is required for bigger organizations if they want to adopt this beautiful software.
Dear All, Any update on this? this feature is required for bigger organizations if they want to adopt this beautiful software.
Even for mid and small organizations who are using cloud service providers for authentication
I'm digging out this Feature Request.
Had anyone a look at https://dev.epitanime.com/technique/dolibarr-saml/ ?
Seems to be promising.
@eldy maybe should be possible to take a look at it and integrate it to a future version?
Most helpful comment
Dear All, Any update on this? this feature is required for bigger organizations if they want to adopt this beautiful software.