modify SCIM plugin

source/scim/entra.rst

@@ -0,0 +1,123 @@
+Entra
+-----
+
+References:
+~~~~~~~~~~
+
+-  `Use SCIM to provision users and groups <https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#integrate-your-scim-endpoint-with-the-azure-ad-provisioning-service>`_
+
+Setup
+~~~~~
+
+Create application
+~~~~~~~~~~~~~~~~~~
+
+- Connect to your `Azure portal <https://aad.portal.azure.com/>`_
+- Click on **Add**
+- then **Enterprise application**.
+
+.. figure:: images/scim-4.png
+   :alt: add application
+   :scale: 65 %
+
+- Click on **Create your application**.
+- In the section that appears on the right, enter the name of your application and choose the 3rd option **`integrate any other application don't find in the gallery`**.
+
+.. figure:: images/scim-5.png
+   :alt: create application
+   :scale: 43 %
+
+
+Setup the application
+~~~~~~~~~~~~~~~~~~~~~
+
+- Once you've created your application, go to **Provisioning**.
+
+.. figure:: images/scim-6.png
+   :alt: add provisionning
+   :scale: 100 %
+
+- Select **Automatic**.
+- Specify the **URL** `generated earlier <setup_plugin.html>`_ from GLPI and paste the **token**.
+
+.. Warning:: Make sure you **paste the token (JWT token)** to ensure your application works properly.
+
+.. figure:: images/scim-7.png
+   :alt: setup provisionning
+   :scale: 75 %
+
+- Click on Test connection. A message will appear informing you of the successful connection.
+
+.. figure:: images/scim-8.png
+   :alt: setup provisionning
+   :scale: 100 %
+
+- On the same page, you can also configure an email address and a number in case of failure or accidental deletions.
+
+.. figure:: images/scim-9.png
+   :alt: check provisionning
+   :scale: 100 %
+
+
+- Click on **Save**
+
+
+Synchronising all users
+~~~~~~~~~~~~~~~~~~~~~~~
+
+- You can choose to synchronise your entire directory.
+- Go to the **Settings > Scope** tab and select **Sync all users and groups**.
+
+.. figure:: images/scim-10.png
+   :alt: sync all
+   :scale: 67 %
+
+Synchronising selected groups and users (default option)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- You can choose to synchronise only certain groups and/or users. When refreshing the **`Provisionning`** page
+- Go to the **Parameters > Scope** tab
+- Select **Synchronise assigned users and groups only**
+
+.. figure:: images/scim-11.png
+   :alt: sync selection
+   :scale: 100 %
+
+- Then go to **Users and groups**
+- Click on **Add a user/group**
+- Click on **No selection**
+- Select the groups and users you want in the box on the right
+- Then **Select** and **Assign**.
+
+.. figure:: images/scim-12.png
+   :alt: select users/groupes
+   :scale: 43 %
+
+Activate provisioning
+~~~~~~~~~~~~~~~~~~~~~
+
+- In the **Provisioning** section
+- Change the status from **Disabled** to **Enabled**
+
+.. figure:: images/scim-13.gif
+   :alt: enable sync
+   :scale: 100 %
+
+
+Check synchronisation status
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- In the **Overview** section, you can check that synchronisation has been successful.
+
+.. figure:: images/scim-14.png
+   :alt: check provisionning
+   :scale: 82 %
+
+- On the GLPI side, Go to the **Request log** section of your SCIM plugin **Setup** > **SCIM identity servers** to check that the accounts are correctly synchronised.
+
+.. figure:: images/scim-15.png
+   :alt: check provisionning
+   :scale: 43 %
+
+.. Important::
+   See the procedure for setting up the `OAuth SSO <https://glpi-plugins.readthedocs.io/en/latest/oauthsso/entra.html>`_ plugin to authenticate users on GLPI.

source/scim/faq.rst

@@ -0,0 +1,4 @@
+FAQ
+---
+
+If you have any questions about using the plugin, please consult `our FAQ <https://faq.teclib.com/04_Plugins/SCIM/>`_

source/scim/index.rst

@@ -1,87 +1,13 @@
 SCIM
 ====
 
-Requirements (on-premise)
--------------------------
-
-============ =========== ===========
-GLPI Version Minimum PHP Recommended
-============ =========== ===========
-10.0.x       8.1         8.2
-============ =========== ===========
-
-.. note::
-   A `basic licence <https://services.glpi-network.com/#offers>`_ (or higher) is required. This plugin is also available from the `Cloud <https://glpi-network.cloud/fr/>`_.
-
-
-.. figure:: pics/logo.png
-   :align: Center
-   :scale: 70 %
-
-
-This plugin let you provision your users and groups from an external identity provider using the `SCIM <https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management>`_ protocol. The update from the directory to GLPI is done “just in time”.
-Each modification is done on the fly, without any cron. GLPI is the service provider, and the directory is the identity provider.
-
-**Warning, the SCIM API endpoint provided by the plugin must be accessible from the identity provider.** If we talk about Azure or Okta, this particular url should be available from the internet. We suggest strongly to limit the ip addresses that can access this url (in addition of adding a strong authentication method).
-
-.. _setup_scim:
-
-Setup
------
-
-You must declare an identity server in the plugin configuration (You can add any number).
-Go to **Setup** > **SCIM Identity servers** menu and click the **[+ Add]** button on top of the page.
-
-.. figure:: pics/identity_server.png
-   :alt: SCIM configuration
-   :scale: 40 %
-
-Fill at least:
-
-- The name of the server,
-- the user applied on GLPI when receiving a request (this will identify the user in th GLPI logs),
-- check the “Active” field,
-- and submit by clicking the [+ Add] button at the bottom of the form.
-
-You’ll be given an API url you may paste into your identity provider configuration. Check `specific provider documentation <#providers>`_ for more details.
-
-You may set some optional parameters :
-
--  **Save requests in logs**: if checked, all requests will be saved in the “Historical” tab of your declared server.
--  **Default server**: if checked, this server will be used by default without providing it’s id in the API Url.
--  **Security**: a dropdown of available security methods. Currently implemented:
-
-   -  **None**: no security, anyone can access the API.
-   -  **Basic**: HTTP Basic authentication. You must provide a username and a password.
-   -  **Digest**: HTTP Digest authentication. You must provide a username and a password.
-   -  **Bearer**: HTTP Bearer authentication. A long lived (10years) jwt token will be generated.
-   -  **OAuth2**: OAuth2 authentication. You must provide at least a valid redirection uri. We support the following flows:
-
-      -  Authorization code.
-      -  Client credentials.
-
-Your SCIM server is now ready to receive requests from your identity provider.
-
-.. figure:: pics/scim_api.png
-   :alt: SCIM API example
-   :scale: 78 %
-
-Providers
----------
-
-- :doc:`Azure <azure>`
-- :doc:`Okta <okta>`
-
-A Note about passwords sync
----------------------------
-
-Although it’s mentioned in the `SCIM specifications <https://datatracker.ietf.org/doc/html/rfc7643#section-9.2>`_, password sync is not always available depending on the provider:
-
--  Azure: `not available <https://learn.microsoft.com/en-us/answers/questions/1113754/azure-ad-scim-provisioning-how-to-sync-passwords>`_
--  Okta: `available <https://developer.okta.com/docs/concepts/scim/#sync-passwords>`_
-
-
-FAQ
----
-
-If you have any questions about using the plugin, please consult `our FAQ <https://faq.teclib.com/04_Plugins/SCIM/>`_
+.. toctree::
+   :maxdepth: 2
+
+   requirements
+   password_SSO
+   install_plugin
+   setup_plugin
+   entra
+   okta
+   faq

source/scim/install_plugin.rst

@@ -0,0 +1,8 @@
+Install the plugin
+------------------
+
+- From the marketplace, download the **SCIM** plugin
+
+.. figure:: images/scim-1.png
+   :alt: Install the plugin
+   :scale: 100 %