Let users log into Odoo via an SAML2 provider.
This module allows to deport the management of users and passwords in an external authentication system to provide SSO functionality (Single Sign On) between Odoo and other applications of your ecosystem.
Benefits:
- Reducing the time spent typing different passwords for different accounts.
- Reducing the time spent in IT support for password oversights.
- Centralizing authentication systems.
- Securing all input levels / exit / access to multiple systems without prompting users.
- The centralization of access control information for compliance testing to different standards.
Table of contents
Installation
This addon requires lasso.
Configuration
To use this module, you need an IDP server, properly set up. Go through the «Getting started» section for more information.
Getting started with Authentic2
This is quick howto to help setup a service provider that will be able to use the IDP from Authentic2
We will mostly cover how to setup your rsa keys and certificates
Creating the certs
Use easy-rsa from the easy-rsa package (or from the openvpn project)
Example script below with comment saying what you should do between each command:
#clean your vars
source ./vars
./build-dh
./pkitool --initca
#change your vars to math a new client cert
source ./vars
./pkitool myclient
Congratulations, you now have a client certificate signed by a shiny new CA under you own private control.
Configuring authentic
We will not describe how to compile requirements nor start an authentic server.
Just log into your authentic admin panel:
https://myauthenticserver/admin
and create a new «liberty provider».
You’ll need to create a metadata xml file from a template (TODO)
You’ll need to make sure it is activated and that the default protocol rules are applied (ie: the requests are signed and signatures are verified)
Configuring Odoo
- Go to Settings > Activate the developer mode.
- Configure your auth provider going to Settings > Users & Companies > SAML Providers > Create. Your provider should provide you all that info.
- Go to Settings > Users & Companies > Users and edit each user that will authenticate through SAML.
- Go to the SAML tab and fill both fields.
- Go to Settings > General settings and uncheck Allow SAML users to posess an Odoo password if you want your SAML users to authenticate only through SAML.
Usage
- Configure it (see corresponding section in README)
- Just login with your SAML-provided password.
Known issues / Roadmap
- Checks to ensure no Odoo user with SAML also has an Odoo password.
- Setting to disable that rule.
Changelog
2.0
- SAML tokens are not stored in res_users anymore to avoid locks on that table
Bug Tracker
Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us to smash it by providing a detailed and welcomed feedback.
Do not contact contributors directly about support or help with technical issues.
Credits
Contributors
- Florent Aide <florent.aide@xcg-consulting.fr>
- Vincent Hatakeyama <vincent.hatakeyama@xcg-consulting.fr>
- Alexandre Brun <alexandre.brun@xcg-consulting.fr>
- Jeremy Co Kim Len <jeremy.cokimlen@vinci-concessions.com>
- Houzéfa Abbasbhay <houzefa.abba@xcg-consulting.fr>
- Jeffery Chen Fan <jeffery9@gmail.com>
- Bhavesh Odedra <bodedra@opensourceintegrators.com>
- Tecnativa: * Jairo Llopis
Maintainers
This module is maintained by the OCA.
OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.
This module is part of the OCA/server-auth project on GitHub.
You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.