How this plug‐in works (internals)

Most of the plug-in logic is into the inc/provider.class.php file of the plug-in.

1. The plugin redirects the user web browser to the SSO Authorize URL with additional parameters (the user is redirected to this URL after clicking into the "Sign on with [SSO Provider]") of checkAuthorization() PHP function.

2. After the login, it returns the result of the authentication to the Callback URL of the plug-in, that will retrieve the access token to request additional user info (e.g. e-mail, surname etc.) from SSO provider, as seen in checkAccessToken() PHP function.

3. Using the Access Token we can retrieve user information through getResourceOwner() PHP function, which returns an array that contains the additional user info (e.g. e-mail, surname etc.) we use to found the user on GLPI local user database - the logic of this lookup on GLPI user database is available on findUser() PHP function.

4. After that, we trigger the login() PHP function of the plug-in that creates a pseudo GLPI authentication agains the GLPI user database backend. Using the built-in GLPI login allow us to apply rules to logged in users (e.g. assign them to specific Entities into GLPI). It creates and link the user to the SSO provider if the user doesn't exists into GLPI user database yet. This function is also responsible to retrieve the user photo from SSO provider if available (only for Azure AD at the moment).

Tip: Most errors happens on phase 2, as if the plug-in is unable to retrieve the token to request it's info from the SSO provider, it's not possible to login the user. You can change the value of the $debug variable to true into inc/provider.class.php to show additional information about the authentication that we can use to help you to troubleshoot and fix the issue.

Also, when openning a new issue, please enable the GLPI Debug mode, click on "Debug" tab of the plug-in provider and paste your SSO provider configuration into your issue.