<h1 class="title">SAML2 Authentication</h1> <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/15.0/auth_saml"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_saml"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runbot.odoo-community.org/runbot/251/15.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p> <p>Let users log into Odoo via an SAML2 identity provider.</p> <p>This module allows to deport the management of users and passwords in an external authentication system to provide SSO functionality (Single Sign On) between Odoo and other applications of your ecosystem.</p> <p><strong>Benefits</strong>:</p> <ul class="simple"> <li>Reducing the time spent typing different passwords for different accounts.</li> <li>Reducing the time spent in IT support for password oversights.</li> <li>Centralizing authentication systems.</li> <li>Securing all input levels / exit / access to multiple systems without prompting users.</li> <li>The centralization of access control information for compliance testing to different standards.</li> </ul> <p><strong>Table of contents</strong></p> <div class="contents local topic" id="contents"> <ul class="simple"> <li><a class="reference internal" href="#installation" id="id3">Installation</a></li> <li><a class="reference internal" href="#configuration" id="id4">Configuration</a></li> <li><a class="reference internal" href="#usage" id="id5">Usage</a></li> <li><a class="reference internal" href="#known-issues-roadmap" id="id6">Known issues / Roadmap</a></li> <li><a class="reference internal" href="#changelog" id="id7">Changelog</a><ul> <li><a class="reference internal" href="#id1" id="id8">15.0.1.1.0</a></li> <li><a class="reference internal" href="#id2" id="id9">15.0.1.0.0</a></li> </ul> </li> <li><a class="reference internal" href="#bug-tracker" id="id10">Bug Tracker</a></li> <li><a class="reference internal" href="#credits" id="id11">Credits</a><ul> <li><a class="reference internal" href="#authors" id="id12">Authors</a></li> <li><a class="reference internal" href="#contributors" id="id13">Contributors</a></li> <li><a class="reference internal" href="#maintainers" id="id14">Maintainers</a></li> </ul> </li> </ul> </div> <a name="installation"></a> <h2><a class="toc-backref" href="#id3">Installation</a></h2> <p>This addon requires the python module <code>pysaml2</code>.</p> <p><code>pysaml2</code> requires the binary <code>xmlsec1</code> (on Debian or Ubuntu you can install it with <code>apt-get install xmlsec1</code>)</p> <a name="configuration"></a> <h2><a class="toc-backref" href="#id4">Configuration</a></h2> <p>To use this module, you need an IDP server, properly set up.</p> <ol class="arabic simple"> <li>Configure the module according to your IdP’s instructions (Settings &gt; Users &amp; Companies &gt; SAML Providers).</li> <li>Pre-create your users and set the SAML information against the user.</li> </ol> <p>By default, the module let users have both a password and SAML ids. To increase security, disable passwords by using the option in Settings. Note that the admin account can still have a password, even if the option is activated. Setting the option immediately remove all password from users with a configured SAML ids.</p> <p>If all the users have a SAML id in a single provider, you can set automatic redirection in the provider settings. The autoredirection will only be done on the active provider with the highest priority. It is still possible to access the login without redirection by using the query parameter <code>disable_autoredirect</code>, as in <code>https://example.com/web/login?disable_autoredirect=</code> The login is also displayed if there is an error with SAML login, in order to display any error message.</p> <a name="usage"></a> <h2><a class="toc-backref" href="#id5">Usage</a></h2> <p>Users can login with the configured SAML IdP with buttons added in the login screen.</p> <a name="known-issues-roadmap"></a> <h2><a class="toc-backref" href="#id6">Known issues / Roadmap</a></h2> <ul class="simple"> <li>clean up <code>auth_saml.request</code></li> </ul> <a name="changelog"></a> <h2><a class="toc-backref" href="#id7">Changelog</a></h2> <a name="id1"></a> <h3><a class="toc-backref" href="#id8">15.0.1.1.0</a></h3> <p>Fix the module by adding a transaction to commit the token.</p> <p>Fix the disallow password for users with SAML ids. Added tests to ensure the feature works correctly. Admin user is also an exception from not having a password. In Odoo 15.0, this is the standard user to connect for administrative task, not the super user.</p> <p>Improve provider form and list views.</p> <p>Add auto redirect on providers. Use disable_autoredirect as a parameter query to disable automatic redirection (for example <code>https://example.com/web/login?disable_autoredirect=</code>)</p> <p>Add certificate file name fields to improve the UI.</p> <p>Add required on several fields of the SAML provider; without them the server will crash and there is not enough information to make SAML work.</p> <p>Split signing to have finer control and be compatible with more IDP.</p> <p>Integrate token into res.users.saml, removing auth_saml.token. No need for a separate table, and no more need to create lines in the table.</p> <p>Avoid server errors when user try metadata page without necessary parameters.</p> <p>Replace method call from <code>odoo.http.redirect_with_hash</code> to <code>request.redirect</code> as the former does not exists in Odoo 15.0 anymore.</p> <p>Improved the module documentation.</p> <a name="id2"></a> <h3><a class="toc-backref" href="#id9">15.0.1.0.0</a></h3> <a name="bug-tracker"></a> <h2><a class="toc-backref" href="#id10">Bug Tracker</a></h2> <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smashing it by providing a detailed and welcomed <a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_saml%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p> <p>Do not contact contributors directly about support or help with technical issues.</p> <a name="credits"></a> <h2><a class="toc-backref" href="#id11">Credits</a></h2> <a name="authors"></a> <h3><a class="toc-backref" href="#id12">Authors</a></h3> <ul class="simple"> <li>XCG Consulting</li> </ul> <a name="contributors"></a> <h3><a class="toc-backref" href="#id13">Contributors</a></h3> <ul class="simple"> <li>Florent Aide &lt;<a class="reference external" href="mailto:florent.aide&#64;xcg-consulting.fr">florent.aide&#64;xcg-consulting.fr</a>&gt;</li> <li>Vincent Hatakeyama &lt;<a class="reference external" href="mailto:vincent.hatakeyama&#64;xcg-consulting.fr">vincent.hatakeyama&#64;xcg-consulting.fr</a>&gt;</li> <li>Alexandre Brun &lt;<a class="reference external" href="mailto:alexandre.brun&#64;xcg-consulting.fr">alexandre.brun&#64;xcg-consulting.fr</a>&gt;</li> <li>Jeremy Co Kim Len &lt;<a class="reference external" href="mailto:jeremy.cokimlen&#64;vinci-concessions.com">jeremy.cokimlen&#64;vinci-concessions.com</a>&gt;</li> <li>Houzéfa Abbasbhay &lt;<a class="reference external" href="mailto:houzefa.abba&#64;xcg-consulting.fr">houzefa.abba&#64;xcg-consulting.fr</a>&gt;</li> <li>Jeffery Chen Fan &lt;<a class="reference external" href="mailto:jeffery9&#64;gmail.com">jeffery9&#64;gmail.com</a>&gt;</li> <li>Bhavesh Odedra &lt;<a class="reference external" href="mailto:bodedra&#64;opensourceintegrators.com">bodedra&#64;opensourceintegrators.com</a>&gt;</li> <li><a class="reference external" href="https://www.tecnativa.com/">Tecnativa</a>:<ul> <li>Jairo Llopis</li> </ul> </li> <li><a class="reference external" href="https://www.glodo.uk/">GlodoUK</a>:<ul> <li>Karl Southern</li> </ul> </li> <li><a class="reference external" href="https://takobi.online/">TAKOBI</a>:<ul> <li>Lorenzo Battistini</li> </ul> </li> </ul> <a name="maintainers"></a> <h3><a class="toc-backref" href="#id14">Maintainers</a></h3> <p>This module is maintained by the OCA.</p> <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a> <p>OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.</p> <p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/15.0/auth_saml">OCA/server-auth</a> project on GitHub.</p> <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>