ContextQMD
Back to Authentik

Integrate with Snipe-IT

website/integrations/documentation/snipe-it/index.md

latest5.3 KB
Original Source

What is Snipe-IT

A free open source IT asset/license management system.

-- https://snipeitapp.com

:::caution This setup assumes you will be using HTTPS as Snipe-It dynamically generates the ACS and other settings based on the complete URL. :::

:::caution In case something goes wrong with the configuration, you can use the URL http://inventory.company/login?nosaml to log in using the built-in authentication. :::

Preparation

The following placeholders are used in this guide:

  • inventory.company is the FQDN of the snipe-it installation.
  • authentik.company is the FQDN of the authentik installation.
  • snipeit-user is the name of the authentik service account we will create.
  • DC=ldap,DC=authentik,DC=io is the Base DN of the LDAP Provider (default)

:::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. :::

authentik Configuration

Step 1 - Service account

In authentik, create a service account (under Directory/Users) for Snipe-IT to use as the LDAP Binder and take note of the password generated.

In this example, we'll use snipeit-user as the Service account's username

:::info If you didn't keep the password, you can copy it from Directory/Tokens & App password. :::

Step 2 - LDAP Provider

In authentik, create a LDAP Provider (under Applications/Providers) with these settings :

  • Name : Snipe IT-LDAP
  • Bind DN : DC=ldap,DC=goauthentik,DC=io
  • Certificate : authentik Self-signed Certificate

Step 3 - Application

In authentik, create an application (under Resources/Applications) with these settings :

  • Name: Snipe IT-LDAP
  • Slug: snipe-it-ldap
  • Provider: Snipe IT-LDAP

Step 4 - Outpost

In authentik, create an outpost (under Applications/Outposts) of type LDAP that uses the LDAP Application you created in Step 3.

  • Name: LDAP
  • Type: LDAP

Snipe-IT LDAP Setup

Configure Snipe-IT LDAP settings by going to settings (the gear icon), and selecting LDAP

Change the following fields

  • LDAP Integration: Checked
  • LDAP Password Sync: Checked
  • Active Directory : Unchecked
  • LDAP Client-Side TLS Key: (taken from authentik)
  • LDAP Server: ldap://authentik.company
  • Use TLS : Unchecked
  • LDAP SSL certificate validation : Checked
  • Bind credentials:
    • LDAP Bind Username: cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io
    • LDAP Bind Password: <snipeit-user password from step 2>
  • Base Bind DN: ou=users,DC=ldap,DC=goauthentik,DC=io :::info ou=users is the default OU for users. If you are using authentik's virtual groups, or have your users in a different organizational unit (ou), change accordingly. :::
  • LDAP Filter: &(objectClass=user)
  • Username Field: mail :::info Setting the Username field to mail is recommended in order to ensure the username is unique. See https://snipe-it.readme.io/docs/ldap-sync-login :::
  • Allow unauthenticated bind: Unchecked
  • Last Name: sn
  • LDAP First Name: givenname
  • LDAP Authentication query: cn=
  • LDAP Email: mail

:::info authentik does not support other LDAP attributes like Employee Number, Department, etc out of the box. If you need these fields, you will need to setup custom attributes. :::

Save your config, then click on Test LDAP Synchronization. This does not import any users, just verifies everything is working and the account can search the directory.

To test your settings, enter a username and password and click Test LDAP.

Snipe-IT LDAP Sync

You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu.

  • Click LDAP Sync
  • Select your Location
  • Click Synchronize :::info Snipe-IT will only import users with both a first and last name set. You need to create user attributes with first and last names. :::

authentik SAML Config

Step 1

Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters:

  • ACS URL: https://inventory.company/saml/acs
  • Issuer: https://inventory.company
  • Service Provider Binding: Post
  • Audience: https://inventory.company
  • Signing certificate: Select any certificate you have.
  • Property mappings: Select all Managed mappings.
  • NamedID Property Mapping: authentik default SAML Mapping: Email :::info This is to match setting the username as mail. If you are using another field as the username, set it here. :::

Step 2

After saving your new Application and Provider, go to Applications/Providers and select your newly created Provider.

Either copy the information under SAML Metadata, or click the Download button under SAML Metadata

Snipe-IT SAML Config

Configure Snipe-IT SAML settings by going to settings (the gear icon), and selecting SAML

  • SAML enabled: Checked
  • SAML IdP Metadata: (paste information copied in Step 2 above -or-
  • Click Select File and select the file you downloaded in Step 2
  • Attribute Mapping - Username: mail
  • SAML Force Login: Checked
  • SAML Single Log Out: Checked

All other field can be left blank.

Resources