Shibboleth and other auth modules: Difference between revisions

Overview

This page documents Single Sign-On (SSO) authentication support in the VoIPmonitor GUI, including currently supported methods and available alternatives.

Currently Supported SSO Methods

Note: Microsoft Sign-In requires GUI version 2024.x or later. If you do not see this option, upgrade to the latest stable release.

Authentication Methods with Custom Scripts

The following authentication methods are supported via custom login scripts:

Important distinctions:

• LDAP Authentication (Supported): Users enter their username and password, which is verified against an LDAP server via custom login script. This is NOT single sign-on.
• LDAP SSO (Not Supported): Click-through login where users are automatically authenticated via LDAP without entering credentials. This is NOT supported.

For a complete LDAP example, see scripts/ldap_custom_login_example.php in your GUI directory. Ensure the php-ldap package is installed on the server.

Unsupported SSO Methods

The following SSO methods are not currently supported and have no scheduled release:

• Shibboleth - Not supported
• SAML-based SSO (including SAML 2.0 from JumpCloud, Okta, OneLogin, etc.) - Not supported
• OIDC (OpenID Connect) Other Than Google: Only Google OAuth 2.0 is supported; generic OIDC providers are not supported

Support for additional SSO methods may be considered for future releases. Check the FAQ or release notes for updates.

SSO Feature Capabilities and Limitations

How SSO Works

When using SSO (Google Sign-In or Microsoft Sign-In):

• The Identity Provider (IdP) returns the user's email address to VoIPmonitor GUI
• VoIPmonitor maps this email to a local user profile to assign permissions
• The email is NOT automatically used to create new users

User Mapping Logic

VoIPmonitor uses the following priority order to map SSO users:

1. Direct Email Match: Checks if a user exists in the GUI with an email exactly matching the IdP email
2. Secure Users List: Checks the "Gmail emails" or "Microsoft emails" list in the "Secure users" tab of user profiles. This allows multiple external accounts to map to a single local profile
3. Default Fallback User: If no match is found, assigns permissions from a user designated as the "Default" SSO account

Requirements

• HTTPS Required: SSO requires HTTPS. The IdP will reject connections from insecure HTTP origins
• Manual User Creation: Users must be created in the VoIPmonitor GUI (or a default account must be configured) before SSO can work
• Client ID: You must provide your own OAuth Client ID from the IdP console

What is NOT Supported

• SCIM User Provisioning: Automated user creation or synchronization from the IdP is not supported
• JIT (Just-in-Time) Provisioning: Users are not automatically created on first login
• Group Mapping: Groups or permissions from the IdP are not synchronized to VoIPmonitor. Permissions must be managed locally in the GUI
• Multi-Factor Authentication (MFA) Pass-Through: MFA is configured on the IdP side, not in VoIPmonitor

Authentication Alternatives

If your required SSO method is not supported, the VoIPmonitor GUI offers these alternatives:

Custom Login Scripts

Custom login scripts enable integrating VoIPmonitor with authentication systems that use standard username/password authentication (such as LDAP):

• File location: <GUI_INSTALL_DIR>/scripts/custom_login.php
• Can verify credentials against LDAP, databases, or external APIs
• Return user permissions and sensor access permissions
• Limitations: Cannot implement SSO protocols like Shibboleth, SAML, or OIDC

Web Server Authentication

You can secure the GUI at the web server level (Apache/Nginx) before traffic reaches VoIPmonitor. This allows:

• Basic Auth or Digest Auth
• Integration with external authentication modules (e.g., mod_authnz_ldap)
• Centralized access control

Note: This is not "SSO" - users typically enter credentials once per session, and VoIPmonitor does not receive information about the authenticated user's identity from the IdP.

See Also

• Google_Sign_in_usage - Google OAuth 2.0 setup guide
• Microsoft_Sign_in_usage - Microsoft Entra ID setup guide
• 2FA - Two-Factor Authentication configuration
• WEB_API#Custom_Login - Custom login script documentation
• FAQ - Frequently Asked Questions

AI Summary for RAG

Summary: This page documents SSO authentication support in VoIPmonitor GUI. Currently supported SSO methods are Google Sign-In (OAuth 2.0) and Microsoft Sign-In (Azure AD / Entra ID). LDAP authentication (username/password) is supported via custom login scripts, but LDAP SSO (click-through login) is not supported. Unsupported methods include Shibboleth, SAML-based SSO (JumpCloud, Okta, OneLogin), and generic OIDC. SSO requires HTTPS and users must be manually created in the GUI or mapped via "Secure users" lists or a default user. SCIM/JIT user provisioning, group mapping, and MFA pass-through are not supported. Alternatives include local accounts, 2FA, web server authentication, and custom login scripts for LDAP/external auth.

Keywords: SSO, single sign-on, authentication, Google Sign-In, Microsoft Sign-In, Azure AD, Entra ID, OAuth, Shibboleth, LDAP, SAML, OIDC, SCIM, JIT, user provisioning, group mapping, unsupported, 2FA, custom login, JumpCloud, Okta

Key Questions:

• Which SSO methods are currently supported in VoIPmonitor GUI?
• Is JumpCloud SSO supported?
• Can I use SAML-based single sign-on with VoIPmonitor?
• Is LDAP authentication supported in VoIPmonitor?
• What is the difference between LDAP authentication and LDAP SSO?
• How do I map SSO users to VoIPmonitor GUI permissions?
• Do I need to create users manually before using SSO?
• Is SCIM or JIT user provisioning supported?
• Are groups from the identity provider synchronized to VoIPmonitor?
• Can I integrate with JumpCloud for authentication?
• What alternatives exist if my SSO method is not supported?