|
|
| Line 1: |
Line 1: |
| {{DISPLAYTITLE:SSO Authentication Support}}
| | #REDIRECT [[REMOTE_USER_Authentication]] |
| __TOC__
| |
| | |
| == Overview ==
| |
| | |
| This page documents Single Sign-On (SSO) authentication support in the VoIPmonitor GUI, including currently supported methods and available alternatives.
| |
| | |
| == Currently Supported SSO Methods ==
| |
| | |
| {| class="wikitable"
| |
| |-
| |
| ! Method !! Status !! Documentation
| |
| |-
| |
| | Google Sign-In (OAuth 2.0) || Supported || [[Google_Sign_in_usage]]
| |
| |-
| |
| | Microsoft Sign-In (Azure AD / Entra ID) || Coming Soon || [[Microsoft_Sign_in_usage]]
| |
| |}
| |
| | |
| Note: Microsoft Sign-In is scheduled for inclusion in an upcoming stable GUI release. If you do not see this option, your current version does not support it. To use Microsoft Sign-In before the stable release, please contact VoIPmonitor support to request a development branch GUI package.
| |
| | |
| == Authentication Methods with Custom Scripts ==
| |
| | |
| The following authentication methods are supported via custom login scripts:
| |
| | |
| {| class="wikitable"
| |
| |-
| |
| ! Method !! Type !! Documentation
| |
| |-
| |
| | LDAP Authentication || Supported (Username/Password) || [[WEB_API#Custom_Login]]
| |
| |}
| |
| | |
| '''Important distinctions:'''
| |
| * '''LDAP Authentication (Supported)''': Users enter their username and password, which is verified against an LDAP server via custom login script. This is NOT single sign-on.
| |
| * '''LDAP SSO (Not Supported)''': Click-through login where users are automatically authenticated via LDAP without entering credentials. This is NOT supported.
| |
| | |
| For a complete LDAP example, see <code>scripts/ldap_custom_login_example.php</code> in your GUI directory. Ensure the <code>php-ldap</code> package is installed on the server.
| |
| | |
| == Unsupported SSO Methods ==
| |
| | |
| The following SSO methods are '''not currently supported''' and have no scheduled release:
| |
| | |
| * '''Shibboleth''' - Not supported
| |
| * '''SAML-based SSO''' (including SAML 2.0 from JumpCloud, Okta, OneLogin, etc.) - Not supported
| |
| * '''OIDC (OpenID Connect) Other Than Google''': Only Google OAuth 2.0 is supported; generic OIDC providers are not supported
| |
| | |
| Support for additional SSO methods may be considered for future releases. Check the [[FAQ]] or release notes for updates.
| |
| | |
| == SSO Feature Capabilities and Limitations ==
| |
| | |
| === How SSO Works ===
| |
| | |
| When using SSO (Google Sign-In or Microsoft Sign-In):
| |
| * The Identity Provider (IdP) returns the user's email address to VoIPmonitor GUI
| |
| * VoIPmonitor maps this email to a local user profile to assign permissions
| |
| * The email is NOT automatically used to create new users
| |
| | |
| === User Mapping Logic ===
| |
| | |
| VoIPmonitor uses the following priority order to map SSO users:
| |
| | |
| # '''Direct Email Match''': Checks if a user exists in the GUI with an email exactly matching the IdP email
| |
| # '''Secure Users List''': Checks the "Gmail emails" or "Microsoft emails" list in the "Secure users" tab of user profiles. This allows multiple external accounts to map to a single local profile
| |
| # '''Default Fallback User''': If no match is found, assigns permissions from a user designated as the "Default" SSO account
| |
| | |
| === Requirements ===
| |
| | |
| * '''HTTPS Required''': SSO requires HTTPS. The IdP will reject connections from insecure HTTP origins
| |
| * '''Manual User Creation''': Users must be created in the VoIPmonitor GUI (or a default account must be configured) before SSO can work
| |
| * '''Client ID''': You must provide your own OAuth Client ID from the IdP console
| |
| | |
| === What is NOT Supported ===
| |
| | |
| * '''SCIM User Provisioning''': Automated user creation or synchronization from the IdP is not supported
| |
| * '''JIT (Just-in-Time) Provisioning''': Users are not automatically created on first login
| |
| * '''Group Mapping''': Groups or permissions from the IdP are not synchronized to VoIPmonitor. Permissions must be managed locally in the GUI
| |
| * '''Multi-Factor Authentication (MFA) Pass-Through''': MFA is configured on the IdP side, not in VoIPmonitor
| |
| | |
| == Authentication Alternatives ==
| |
| | |
| If your required SSO method is not supported, the VoIPmonitor GUI offers these alternatives:
| |
| | |
| {| class="wikitable"
| |
| |-
| |
| ! Method !! Description !! Documentation
| |
| |-
| |
| | Local user accounts || Standard username/password authentication || Built-in
| |
| |-
| |
| | Two-Factor Authentication (2FA) || Additional security layer for local accounts || [[2FA]]
| |
| |-
| |
| | Web server authentication || Apache Basic Auth, Digest Auth, or similar || Server configuration
| |
| |-
| |
| | Custom login scripts || Integration with LDAP or other authentication backends || [[WEB_API#Custom_Login]]
| |
| |}
| |
| | |
| === Custom Login Scripts ===
| |
| | |
| Custom login scripts enable integrating VoIPmonitor with authentication systems that use standard username/password authentication (such as LDAP):
| |
| | |
| * File location: <code><GUI_INSTALL_DIR>/scripts/custom_login.php</code>
| |
| * Can verify credentials against LDAP, databases, or external APIs
| |
| * Return user permissions and sensor access permissions
| |
| * Limitations: Cannot implement SSO protocols like Shibboleth, SAML, or OIDC
| |
| | |
| === Web Server Authentication ===
| |
| | |
| You can secure the GUI at the web server level (Apache/Nginx) before traffic reaches VoIPmonitor. This allows:
| |
| | |
| * Basic Auth or Digest Auth
| |
| * Integration with external authentication modules (e.g., <code>mod_authnz_ldap</code>)
| |
| * Centralized access control
| |
| | |
| Note: This is not "SSO" - users typically enter credentials once per session, and VoIPmonitor does not receive information about the authenticated user's identity from the IdP.
| |
| | |
| == See Also ==
| |
| | |
| * [[Google_Sign_in_usage]] - Google OAuth 2.0 setup guide
| |
| * [[Microsoft_Sign_in_usage]] - Microsoft Entra ID setup guide
| |
| * [[2FA]] - Two-Factor Authentication configuration
| |
| * [[WEB_API#Custom_Login]] - Custom login script documentation
| |
| * [[FAQ]] - Frequently Asked Questions
| |
| | |
| == AI Summary for RAG ==
| |
| '''Summary:''' This page documents SSO authentication support in VoIPmonitor GUI. Currently supported SSO methods are Google Sign-In (OAuth 2.0). Microsoft Sign-In (Azure AD / Entra ID) is scheduled for inclusion in an upcoming stable GUI release - users who need it immediately can contact support for a development branch GUI package. LDAP authentication (username/password) is supported via custom login scripts, but LDAP SSO (click-through login) is not supported. Unsupported methods include Shibboleth, SAML-based SSO (JumpCloud, Okta, OneLogin), and generic OIDC. SSO requires HTTPS and users must be manually created in the GUI or mapped via "Secure users" lists or a default user. SCIM/JIT user provisioning, group mapping, and MFA pass-through are not supported. Alternatives include local accounts, 2FA, web server authentication, and custom login scripts for LDAP/external auth.
| |
| | |
| '''Keywords:''' SSO, single sign-on, authentication, Google Sign-In, Microsoft Sign-In, Azure AD, Entra ID, OAuth, Shibboleth, LDAP, SAML, OIDC, SCIM, JIT, user provisioning, group mapping, unsupported, 2FA, custom login, JumpCloud, Okta
| |
| | |
| '''Key Questions:'''
| |
| * Which SSO methods are currently supported in VoIPmonitor GUI?
| |
| * Is JumpCloud SSO supported?
| |
| * Can I use SAML-based single sign-on with VoIPmonitor?
| |
| * Is LDAP authentication supported in VoIPmonitor?
| |
| * What is the difference between LDAP authentication and LDAP SSO?
| |
| * How do I map SSO users to VoIPmonitor GUI permissions?
| |
| * Do I need to create users manually before using SSO?
| |
| * Is SCIM or JIT user provisioning supported?
| |
| * Are groups from the identity provider synchronized to VoIPmonitor?
| |
| * Can I integrate with JumpCloud for authentication?
| |
| * What alternatives exist if my SSO method is not supported?
| |