Shibboleth and other auth modules: Difference between revisions
(Update SSO documentation: Microsoft Sign-In now supported, clarify LDAP authentication vs LDAP SSO, add SCIM/JIT provisioning limitations) |
(Clarify Microsoft Sign-In status: coming soon, not yet in stable releases. Users need development branch from support.) |
||
| Line 14: | Line 14: | ||
| Google Sign-In (OAuth 2.0) || Supported || [[Google_Sign_in_usage]] | | Google Sign-In (OAuth 2.0) || Supported || [[Google_Sign_in_usage]] | ||
|- | |- | ||
| Microsoft Sign-In (Azure AD / Entra ID) || | | Microsoft Sign-In (Azure AD / Entra ID) || Coming Soon || [[Microsoft_Sign_in_usage]] | ||
|} | |} | ||
Note: Microsoft Sign-In | Note: Microsoft Sign-In is scheduled for inclusion in an upcoming stable GUI release. If you do not see this option, your current version does not support it. To use Microsoft Sign-In before the stable release, please contact VoIPmonitor support to request a development branch GUI package. | ||
== Authentication Methods with Custom Scripts == | == Authentication Methods with Custom Scripts == | ||
| Line 121: | Line 121: | ||
== AI Summary for RAG == | == AI Summary for RAG == | ||
'''Summary:''' This page documents SSO authentication support in VoIPmonitor GUI. Currently supported SSO methods are Google Sign-In (OAuth 2.0) | '''Summary:''' This page documents SSO authentication support in VoIPmonitor GUI. Currently supported SSO methods are Google Sign-In (OAuth 2.0). Microsoft Sign-In (Azure AD / Entra ID) is scheduled for inclusion in an upcoming stable GUI release - users who need it immediately can contact support for a development branch GUI package. LDAP authentication (username/password) is supported via custom login scripts, but LDAP SSO (click-through login) is not supported. Unsupported methods include Shibboleth, SAML-based SSO (JumpCloud, Okta, OneLogin), and generic OIDC. SSO requires HTTPS and users must be manually created in the GUI or mapped via "Secure users" lists or a default user. SCIM/JIT user provisioning, group mapping, and MFA pass-through are not supported. Alternatives include local accounts, 2FA, web server authentication, and custom login scripts for LDAP/external auth. | ||
'''Keywords:''' SSO, single sign-on, authentication, Google Sign-In, Microsoft Sign-In, Azure AD, Entra ID, OAuth, Shibboleth, LDAP, SAML, OIDC, SCIM, JIT, user provisioning, group mapping, unsupported, 2FA, custom login, JumpCloud, Okta | '''Keywords:''' SSO, single sign-on, authentication, Google Sign-In, Microsoft Sign-In, Azure AD, Entra ID, OAuth, Shibboleth, LDAP, SAML, OIDC, SCIM, JIT, user provisioning, group mapping, unsupported, 2FA, custom login, JumpCloud, Okta | ||
Revision as of 01:31, 6 January 2026
Overview
This page documents Single Sign-On (SSO) authentication support in the VoIPmonitor GUI, including currently supported methods and available alternatives.
Currently Supported SSO Methods
| Method | Status | Documentation |
|---|---|---|
| Google Sign-In (OAuth 2.0) | Supported | Google_Sign_in_usage |
| Microsoft Sign-In (Azure AD / Entra ID) | Coming Soon | Microsoft_Sign_in_usage |
Note: Microsoft Sign-In is scheduled for inclusion in an upcoming stable GUI release. If you do not see this option, your current version does not support it. To use Microsoft Sign-In before the stable release, please contact VoIPmonitor support to request a development branch GUI package.
Authentication Methods with Custom Scripts
The following authentication methods are supported via custom login scripts:
| Method | Type | Documentation |
|---|---|---|
| LDAP Authentication | Supported (Username/Password) | WEB_API#Custom_Login |
Important distinctions:
- LDAP Authentication (Supported): Users enter their username and password, which is verified against an LDAP server via custom login script. This is NOT single sign-on.
- LDAP SSO (Not Supported): Click-through login where users are automatically authenticated via LDAP without entering credentials. This is NOT supported.
For a complete LDAP example, see scripts/ldap_custom_login_example.php in your GUI directory. Ensure the php-ldap package is installed on the server.
Unsupported SSO Methods
The following SSO methods are not currently supported and have no scheduled release:
- Shibboleth - Not supported
- SAML-based SSO (including SAML 2.0 from JumpCloud, Okta, OneLogin, etc.) - Not supported
- OIDC (OpenID Connect) Other Than Google: Only Google OAuth 2.0 is supported; generic OIDC providers are not supported
Support for additional SSO methods may be considered for future releases. Check the FAQ or release notes for updates.
SSO Feature Capabilities and Limitations
How SSO Works
When using SSO (Google Sign-In or Microsoft Sign-In):
- The Identity Provider (IdP) returns the user's email address to VoIPmonitor GUI
- VoIPmonitor maps this email to a local user profile to assign permissions
- The email is NOT automatically used to create new users
User Mapping Logic
VoIPmonitor uses the following priority order to map SSO users:
- Direct Email Match: Checks if a user exists in the GUI with an email exactly matching the IdP email
- Secure Users List: Checks the "Gmail emails" or "Microsoft emails" list in the "Secure users" tab of user profiles. This allows multiple external accounts to map to a single local profile
- Default Fallback User: If no match is found, assigns permissions from a user designated as the "Default" SSO account
Requirements
- HTTPS Required: SSO requires HTTPS. The IdP will reject connections from insecure HTTP origins
- Manual User Creation: Users must be created in the VoIPmonitor GUI (or a default account must be configured) before SSO can work
- Client ID: You must provide your own OAuth Client ID from the IdP console
What is NOT Supported
- SCIM User Provisioning: Automated user creation or synchronization from the IdP is not supported
- JIT (Just-in-Time) Provisioning: Users are not automatically created on first login
- Group Mapping: Groups or permissions from the IdP are not synchronized to VoIPmonitor. Permissions must be managed locally in the GUI
- Multi-Factor Authentication (MFA) Pass-Through: MFA is configured on the IdP side, not in VoIPmonitor
Authentication Alternatives
If your required SSO method is not supported, the VoIPmonitor GUI offers these alternatives:
| Method | Description | Documentation |
|---|---|---|
| Local user accounts | Standard username/password authentication | Built-in |
| Two-Factor Authentication (2FA) | Additional security layer for local accounts | 2FA |
| Web server authentication | Apache Basic Auth, Digest Auth, or similar | Server configuration |
| Custom login scripts | Integration with LDAP or other authentication backends | WEB_API#Custom_Login |
Custom Login Scripts
Custom login scripts enable integrating VoIPmonitor with authentication systems that use standard username/password authentication (such as LDAP):
- File location:
<GUI_INSTALL_DIR>/scripts/custom_login.php - Can verify credentials against LDAP, databases, or external APIs
- Return user permissions and sensor access permissions
- Limitations: Cannot implement SSO protocols like Shibboleth, SAML, or OIDC
Web Server Authentication
You can secure the GUI at the web server level (Apache/Nginx) before traffic reaches VoIPmonitor. This allows:
- Basic Auth or Digest Auth
- Integration with external authentication modules (e.g.,
mod_authnz_ldap) - Centralized access control
Note: This is not "SSO" - users typically enter credentials once per session, and VoIPmonitor does not receive information about the authenticated user's identity from the IdP.
See Also
- Google_Sign_in_usage - Google OAuth 2.0 setup guide
- Microsoft_Sign_in_usage - Microsoft Entra ID setup guide
- 2FA - Two-Factor Authentication configuration
- WEB_API#Custom_Login - Custom login script documentation
- FAQ - Frequently Asked Questions
AI Summary for RAG
Summary: This page documents SSO authentication support in VoIPmonitor GUI. Currently supported SSO methods are Google Sign-In (OAuth 2.0). Microsoft Sign-In (Azure AD / Entra ID) is scheduled for inclusion in an upcoming stable GUI release - users who need it immediately can contact support for a development branch GUI package. LDAP authentication (username/password) is supported via custom login scripts, but LDAP SSO (click-through login) is not supported. Unsupported methods include Shibboleth, SAML-based SSO (JumpCloud, Okta, OneLogin), and generic OIDC. SSO requires HTTPS and users must be manually created in the GUI or mapped via "Secure users" lists or a default user. SCIM/JIT user provisioning, group mapping, and MFA pass-through are not supported. Alternatives include local accounts, 2FA, web server authentication, and custom login scripts for LDAP/external auth.
Keywords: SSO, single sign-on, authentication, Google Sign-In, Microsoft Sign-In, Azure AD, Entra ID, OAuth, Shibboleth, LDAP, SAML, OIDC, SCIM, JIT, user provisioning, group mapping, unsupported, 2FA, custom login, JumpCloud, Okta
Key Questions:
- Which SSO methods are currently supported in VoIPmonitor GUI?
- Is JumpCloud SSO supported?
- Can I use SAML-based single sign-on with VoIPmonitor?
- Is LDAP authentication supported in VoIPmonitor?
- What is the difference between LDAP authentication and LDAP SSO?
- How do I map SSO users to VoIPmonitor GUI permissions?
- Do I need to create users manually before using SSO?
- Is SCIM or JIT user provisioning supported?
- Are groups from the identity provider synchronized to VoIPmonitor?
- Can I integrate with JumpCloud for authentication?
- What alternatives exist if my SSO method is not supported?