habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6fe0c1d85ed4b582e74f8ef901b1765e38f607f
authentik/website/integrations/services/snipe-it/index.md
Teffen Ellis a714c781a6 website: Use Docusaurus Frontmatter for badges (#12893) 
website/docs: Reduce redundant usage of badges. Move badge logic to components.

- Fix JSX class name warning.
- Remove duplicate titles.
- Flesh out `support_level` frontmatter.
2025-02-19 18:03:05 +00:00

160 lines
5.4 KiB
Markdown
Raw Blame History

---
title: Integrate with Snipe-IT
sidebar_label: Snipe-IT
support_level: community
---
## What is Snipe-IT
> A free open source IT asset/license management system.
>
> -- https://snipeitapp.com
:::caution
This setup assumes you will be using HTTPS as Snipe-It dynamically generates the ACS and other settings based on the complete URL.
:::
:::caution
In case something goes wrong with the configuration, you can use the URL `http://inventory.company/login?nosaml` to log in using the
built-in authentication.
:::
## Preparation
The following placeholders are used in this guide:
- `inventory.company` is the FQDN of the snipe-it installation.
- `authentik.company` is the FQDN of the authentik installation.
- `snipeit-user` is the name of the authentik service account we will create.
- `DC=ldap,DC=authentik,DC=io` is the Base DN of the LDAP Provider (default)
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Configuration
### Step 1 - Service account
In authentik, create a service account (under _Directory/Users_) for Snipe-IT to use as the LDAP Binder and take note of the password generated.
In this example, we'll use `snipeit-user` as the Service account's username
:::note
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
:::
### Step 2 - LDAP Provider
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
- Name : Snipe IT-LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `authentik Self-signed Certificate`
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: Snipe IT-LDAP
- Slug: snipe-it-ldap
- Provider: Snipe IT-LDAP
### Step 4 - Outpost
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_.
- Name: LDAP
- Type: LDAP
## Snipe-IT LDAP Setup
Configure Snipe-IT LDAP settings by going to settings (he gear icon), and selecting `LDAP`
Change the following fields
- LDAP Integration: **ticked**
- LDAP Password Sync: **ticked**
- Active Directory : **unticked**
- LDAP Client-Side TLS Key: (taken from authentik)
- LDAP Server: `ldap://authentik.company`
- Use TLS : **unticked**
- LDAP SSL certificate validation : **ticked**
- Bind credentials:
- LDAP Bind USername: `cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- LDAP Bind Password: `<snipeit-user password from step 2>`
- Base Bind DN: `ou=users,DC=ldap,DC=goauthentik,DC=io`
:::note
ou=users is the default OU for users. If you are using authentik's virtual groups, or have your users in a different organizational unit (ou), change accordingly.
:::
- LDAP Filter: &(objectClass=user)
- Username Field: mail
:::note
Setting the Username field to mail is recommended in order to ensure the usernameisunique. See https://snipe-it.readme.io/docs/ldap-sync-login
:::
- Allow unauthenticated bind: **unticked**
- Last Name: sn
- LDAP First Name: givenname
- LDAP AUthentication query: cn=
- LDAP Email: mail
:::note
authentik does not support other LDAP attributes like Employee Number, Department, etc out of the box. If you need these fields, you will need to setup custom attributes.
:::
Save your config, then click on Test LDAP Synchorization. This does not import any users, just verifies everything is working and the account can search the directory.
To test your settings, enter a username and password and click Test LDAP.
## Snipe-IT LDAP Sync
You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu.
- CLick `LDAP Sync`
- Select your Location
- Click Synchronize
:::note
Snipe-IT will only import users with both a first and last name set. You need to create user attributes with first and last names.
:::
## authentik SAML Config
### Step 1
Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters:
- ACS URL: `https://inventory.company/saml/acs`
- Issuer: `https://inventory.company`
- Service Provider Binding: `Post`
- Audience: `https://inventory.company`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- NamedID Property Mapping: authentik default SAML Mapping: Email
:::note
This is to match setting the username as **mail**. If you are using another field as the username, set it here.
:::
### Step 2
After saving your new Application and Provider, go to _Applications/Providers_ and select your newly created Provider.
Either copy the information under SAML Metadata, or click the Download button under SAML Metadata
## Snipe-IT SAML Config
Configure Snipe-IT SAML settings by going to settings (he gear icon), and selecting `SAML`
- SAML enabled: **ticked**
- SAML IdP Metadata: (paste information copied in Step 2 above -or-
- Click `Select File`and select the file you downloaded in Step 2
- Attribute Mapping - Username: mail
- SAML Force Login: **ticked**
- SAML Single Log Out: **ticked**
All other field can be left blank.
## Additional Resources
- https://snipe-it.readme.io/docs/ldap-sync-login
- https://snipe-it.readme.io/docs/saml
Reference in New Issue View Git Blame Copy Permalink