6.0 KiB
title |
---|
Snipe-IT |
Support level: Community
What is Service Name
From https://snipeitapp.com :::note A free open source IT asset/license management system. :::
:::caution This setup assumes you will be using HTTPS as Snipe-It dynamically generates the ACS and other settings based on the complete URL. :::
:::caution
In case something goes wrong with the configuration, you can use the URL http://inventory.company/login?nosaml
to log in using the
built-in authentication.
:::
Preparation
The following placeholders will be used:
inventory.company
is the FQDN of the snipe-it install.authentik.company
is the FQDN of the authentik install.snipeit-user
is the name of the authentik service account we will create.DC=ldap,DC=authentik,DC=io
is the Base DN of the LDAP Provider (default)
authentik Configuration
Step 1 - Service account
In authentik, create a service account (under Directory/Users) for Snipe-IT to use as the LDAP Binder and take note of the password generated.
In this example, we'll use snipeit-user
as the Service account's username
:::note If you didn't keep the password, you can copy it from Directory/Tokens & App password. :::
Step 2 - LDAP Provider
In authentik, create a LDAP Provider (under Applications/Providers) with these settings :
- Name : Snipe IT-LDAP
- Bind DN :
DC=ldap,DC=goauthentik,DC=io
- Certificate :
authentik Self-signed Certificate
Step 3 - Application
In authentik, create an application (under Resources/Applications) with these settings :
- Name: Snipe IT-LDAP
- Slug: snipe-it-ldap
- Provider: Snipe IT-LDAP
Step 4 - Outpost
In authentik, create an outpost (under Applications/Outposts) of type LDAP
that uses the LDAP Application you created in Step 3.
- Name: LDAP
- Type: LDAP
Snipe-IT LDAP Setup
Configure Snipe-IT LDAP settings by going to settings (he gear icon), and selecting LDAP
Change the following fields
- LDAP Integration: ticked
- LDAP Password Sync: ticked
- Active Directory : unticked
- LDAP Client-Side TLS Key: (taken from authentik)
- LDAP Server:
ldap://authentik.company
- Use TLS : unticked
- LDAP SSL certificate validation : ticked
- Bind credentials:
- LDAP Bind USername:
cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io
- LDAP Bind Password:
<snipeit-user password from step 2>
- LDAP Bind USername:
- Base Bind DN:
ou=users,DC=ldap,DC=goauthentik,DC=io
:::note ou=users is the default OU for users. If you are using authentik's virtual groups, or have your users in a different organizational unit (ou), change accordingly. ::: - LDAP Filter: &(objectClass=user)
- Username Field: mail :::note Setting the Username field to mail is recommended in order to ensure the usernameisunique. See https://snipe-it.readme.io/docs/ldap-sync-login :::
- Allow unauthenticated bind: unticked
- Last Name: sn
- LDAP First Name: givenname
- LDAP AUthentication query: cn=
- LDAP Email: mail
:::note authentik does not support other LDAP attributes like Employee Number, Department, etc out of the box. If you need these fields, you will need to setup custom attributes. :::
Save your config, then click on Test LDAP Synchorization. This does not import any users, just verifies everything is working and the account can search the directory.
To test your settings, enter a username and password and click Test LDAP.
Snipe-IT LDAP Sync
You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu.
- CLick
LDAP Sync
- Select your Location
- Click Synchronize :::note Snipe-IT will only import users with both a first and last name set. If you do not have first and last names stored in your users attributes, you can create a property mapping to set first and last name. :::
authentik Property Mapping
To create a policy mapping, go to Customisation/Property Mappings, click Create
then LDAP Property Mapping
. Name is 'sn' and set Object field to sn:
def getLastName():
if len(request.user.name) >= 1:
return request.user.name.split(" ")[1]
elif len(request.user.name) == 1:
return request.user.name.split(" ")[1]
else:
return ""
return {
"sn": getLastName(),
}
Create a second policy mapping, name it 'givenname' and set Object field to 'givenname'
def getFirstName():
if len(request.user.name) >= 1:
return request.user.name.split(" ")[0]
else:
return f"N/A"
return {
"givenname": getFirstName(),
}
authentik SAML Config
Step 1
Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters:
- ACS URL:
https://inventory.company/saml/acs
- Issuer:
https://inventory.company
- Service Provider Binding:
Post
- Audience:
https://inventory.company
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- NamedID Property Mapping: authentik default SAML Mapping: Email :::note This is to match setting the username as mail. If you are using another field as the username, set it here. :::
Step 2
After saving your new Application and Provider, go to Applications/Providers and select your newly created Provider.
Either copy the information under SAML Metadata, or click the Download button under SAML Metadata
Snipe-IT SAML Config
Configure Snipe-IT SAML settings by going to settings (he gear icon), and selecting SAML
- SAML enabled: ticked
- SAML IdP Metadata: (paste information copied in Step 2 above -or-
- Click
Select File
and select the file you downloaded in Step 2 - Attribute Mapping - Username: mail
- SAML Force Login: ticked
- SAML Single Log Out: ticked
All other field can be left blank.