Toggle navigation

Saml2 Authentication

Beta License: AGPL-3 OCA/server-auth Translate me on Weblate Try me on Runboat

Let users log into Odoo via an SAML2 provider.

This module allows to deport the management of users and passwords in an external authentication system to provide SSO functionality (Single Sign On) between Odoo and other applications of your ecosystem.

Benefits:

  • Reducing the time spent typing different passwords for different accounts.
  • Reducing the time spent in IT support for password oversights.
  • Centralizing authentication systems.
  • Securing all input levels / exit / access to multiple systems without prompting users.
  • The centralization of access control information for compliance testing to different standards.

Table of contents

Installation

This addon requires lasso.

Configuration

To use this module, you need an IDP server, properly set up. Go through the «Getting started» section for more information.

Getting started with Authentic2

This is quick howto to help setup a service provider that will be able to use the IDP from Authentic2

We will mostly cover how to setup your rsa keys and certificates

Creating the certs

Use easy-rsa from the easy-rsa package (or from the openvpn project)

Example script below with comment saying what you should do between each command:

#clean your vars

source ./vars

./build-dh
./pkitool --initca

#change your vars to math a new client cert

source ./vars

./pkitool myclient

Congratulations, you now have a client certificate signed by a shiny new CA under you own private control.

Configuring authentic

We will not describe how to compile requirements nor start an authentic server.

Just log into your authentic admin panel:

https://myauthenticserver/admin

and create a new «liberty provider».

You’ll need to create a metadata xml file from a template (TODO)

You’ll need to make sure it is activated and that the default protocol rules are applied (ie: the requests are signed and signatures are verified)

Configuring Odoo

  1. Go to Settings > Activate the developer mode.
  2. Configure your auth provider going to Settings > Users & Companies > SAML Providers > Create. Your provider should provide you all that info.
  3. Go to Settings > Users & Companies > Users and edit each user that will authenticate through SAML.
  4. Go to the SAML tab and fill both fields.
  5. Go to Settings > General settings and uncheck Allow SAML users to posess an Odoo password if you want your SAML users to authenticate only through SAML.

Usage

  1. Configure it (see corresponding section in README)
  2. Just login with your SAML-provided password.

Known issues / Roadmap

  • Checks to ensure no Odoo user with SAML also has an Odoo password.
  • Setting to disable that rule.

Changelog

2.0

  • SAML tokens are not stored in res_users anymore to avoid locks on that table

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us to smash it by providing a detailed and welcomed feedback.

Do not contact contributors directly about support or help with technical issues.

Credits

Authors

  • XCG Consulting

Contributors

Maintainers

This module is maintained by the OCA.

Odoo Community Association

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

This module is part of the OCA/server-auth project on GitHub.

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.