Does GLPI support login with Azure AD?

Yes. Via the SAML protocol, GLPI can authenticate users directly through Microsoft Entra ID (formerly Azure AD), including automatic provisioning (JIT) on first authentication.

Do I need a plugin for SSO in GLPI?

In GLPI 10, the PHP SAML plugin is required. In GLPI 11, check the official documentation for native support or use the compatible plugin.

Does SSO work with MFA (multi-factor authentication)?

Yes. MFA is managed by Azure AD. GLPI only receives confirmation of successful authentication, regardless of the factors used.

Are users created automatically in GLPI?

Yes, via Just-in-Time (JIT) provisioning. On first authentication, GLPI automatically creates the user with data from Azure AD (name, email, groups).

SSO Login in GLPI with Azure AD (Entra ID): Complete Guide

Single Sign-On eliminates the need for separate passwords for GLPI. Your users log in with their corporate Microsoft 365 account, with MFA and all Azure AD security policies.

Why SSO for GLPI

Eliminates local passwords in GLPI (smaller attack surface)
Users log in with the same Microsoft 365 credentials
MFA managed centrally by Azure AD
Automatic provisioning: new employee in AD = access to GLPI
Centralized offboarding: disable in AD = no access to GLPI

Prerequisites

GLPI 10.0.14+ or GLPI 11
Microsoft Entra ID (Azure AD) tenant with administrator permission
GLPI accessible via HTTPS (SSL mandatory for SAML)
PHP SAML plugin installed in GLPI (for GLPI 10)

1. Configure Azure AD

Create the enterprise application

In the Azure portal, go to Entra ID > Enterprise Applications > New Application
Click "Create your own application"
Name: "GLPI" > Integrate any other application (Non-gallery)
Under Single sign-on, select "SAML"

Configure SAML URLs

Identifier (Entity ID): https://glpi.suaempresa.com/
Reply URL (ACS): https://glpi.suaempresa.com/front/acs.php
Sign-on URL: https://glpi.suaempresa.com/

Attributes and Claims

Configure the following SAML claims:

name: user.displayname
emailaddress: user.mail
firstname: user.givenname
surname: user.surname

Download the certificate

In the "SAML Signing Certificate" section, download the Base64 certificate and the Federation Metadata XML.

2. Configure GLPI

Install the PHP SAML plugin

Download the plugin compatible with your GLPI version and install it in /var/www/glpi/plugins/phpsaml/.

Configure the plugin

Under Configuration > Plugins > PHP SAML, enter:

IdP Entity ID: Azure value (Login URL)
IdP SSO URL: Azure Login URL
IdP Certificate: contents of the downloaded Base64 certificate
JIT Provisioning: Enabled

3. Assign users and groups

In Azure AD, under Enterprise Applications > GLPI > Users and Groups, assign the users or groups that will have access to GLPI.

4. Test

Access https://glpi.suaempresa.com. The SSO login button should appear. When clicked, the user is redirected to the Microsoft 365 login.

Troubleshooting

Certificate error: verify that the certificate in GLPI matches the one in Azure
User not created: verify that JIT is enabled and claims are correctly configured
Redirect loop: verify that the Reply URL is correct and has no extra trailing slash

Next Step

With SSO configured, advance to profiles and permissions to control what each AD group can do in GLPI.

Nextool Solutions

Why SSO for GLPI

Prerequisites