modify SCIM plugin #106
modify SCIM plugin #106
Conversation
source/scim/requirements.rst
Outdated
| .. important:: | ||
| The SCIM API endpoint provided by the plugin must be accessible from the identity provider. If we talk about Azure or Okta, this particular url should be available from the internet. We suggest strongly to limit the ip addresses that can access this url (in addition of adding a strong authentication method). | ||
|
|
||
| A Note about passwords sync |
There was a problem hiding this comment.
Should this section be placed on its file?
Generation of readthedoc makes awkward the result: https://glpi-plugins--106.org.readthedocs.build/en/106/scim/requirements.html#a-note-about-passwords-sync
There was a problem hiding this comment.
The fact that the URL is available on the Internet seems to me to be a prerequisite, I can revise the layout if it doesn't suit.
As far as password sync is concerned, I can make a dedicated page for that.
| For Azure, the awaited secret is a long life valid jwt token. | ||
| We cannot use an oauth exchange (Azure doesn’t ask for an authorize URL). | ||
| So in GLPI, setup you SCIM server with **Bearer** security and paste the JWT token from GLPI in the **Secret token** field of Azure. |
There was a problem hiding this comment.
I think we lose this important information when migrating to "Entra" document.
As we can't use a real OAuth exchange with this provider, we must explicitly say it.
The current "Make sure you paste the token (Jwt token) to ensure your application works properly." is not sufficient.
There was a problem hiding this comment.
Ok, I can also put this sentence in the GLPI configuration
Do you think it's better this way?
There was a problem hiding this comment.
No, I want the full sentence like before. The last is too simple and does not explain why we need a long-life JWT token (it's a bad practice to have this kind of token as they can be stolen)
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
Co-authored-by: Curtis Conard <[email protected]>
|
Additionnal comment: The setup of GLPI should be in first, no? You need to paste a token from GLPI when creating the application in the identity provider. |
No description provided.