OrangeHRM LDAP Authentication
OrangeHRM supports LDAP (Lightweight Directory Access Protocol) authentication, allowing users to log in using their LDAP credentials. This integration streamlines user management and enhances security by leveraging existing LDAP directories. Follow these step-by-step instructions to set up LDAP authentication in OrangeHRM:
Prerequisites:
Before you begin, ensure that you have the following information:
- LDAP Server Address
- LDAP Port (typically 389 for unencrypted connections or 636 for encrypted connections)
- Base DN (Distinguished Name) for searching users
- LDAP User Suffix (Your domain name if you are using MS Active Directory)
- LDAP Bind DN (Distinguished Name) and password for binding to the LDAP server
- LDAP Filter for user search (optional but recommended for narrowing down searches)
- LDAP Attribute for the username (usually 'uid' or 'sAMAccountName' depending on your LDAP server)
Steps to Configure LDAP Authentication:
Step 1: Log in to OrangeHRM
- Log in to your OrangeHRM admin panel using your system admin credentials.
Step 2: Navigate to LDAP Settings
- Go to the "HR Administration" module.
- Under the "Configuration" section, select "Authentication"
Step 3: Configure LDAP Settings
- In the "General Settings" tab, find the "LDAP Settings" section.
- Check the "Enable LDAP Authentication" box.
- Enter the LDAP Server Address and Port.
- Fill in the Base DN, LDAP Bind DN, and LDAP Bind Password.
- Set the LDAP Filter and LDAP Attribute for user search.
- Click "Save" to apply the changes.
Step Step 5: Update User Authentication Settings
- Navigate to "HR Administration" > "Users"
- Create a user name for an employee
- Save the changes without giving a password
Step 6: Test LDAP Configuration
- log out from the system.
- Enter a LDAP username and password from your LDAP directory.
- Check whether it is possible to login to the system
OrangeHRM SAML Authentication
Step 1: Prerequisites
Access to OrangeHRM: You should have administrative access to your OrangeHRM instance.
SAML Identity Provider: Choose a SAML 2.0 compliant Identity Provider. Popular options include Okta, Azure, or any other SAML-compliant system.
Step 2: Configure Identity Provider (IdP)
- Create a New SAML Application:
- Log in to your IdP's admin console.
- Create a new SAML application.
- Provide below parameters to the client
- Entity ID (Issuer)
- Assertion Consumer Service (ACS) URL
- Single Logout (SLO) URL (optional)
Configure SAML Attributes:
- Define the necessary SAML attributes, such as NameID and user attributes like email or username.
Download IdP Metadata:
- Download the IdP metadata file provided by your IdP. This file typically contains important configuration details.
Step 3: Configure OrangeHRM
- Access OrangeHRM:
- Log in to your OrangeHRM instance as a system administrator.
- Go to HR Administration -> Configuration -> Authentication -> SAML
- Enable SAML:
Enable the SAML authentication option.
- Upload IdP Metadata:
If your IdP provided a metadata file, upload it in the OrangeHRM SAML settings.
- Map SAML Attributes:
Map OrangeHRM fields to the corresponding attributes from your IdP (e.g., map email, username).
- Save and Test
Save the SAML settings.
Test the configuration by attempting to log in with a user account associated with the IdP.
Step 5: Troubleshooting
- Logs:
- Check logs in OrangeHRM and your IdP for any error messages.
- Attribute Mismatch:
- Confirm that the SAML attributes are correctly mapped between OrangeHRM and the IdP.
- URLs:
- Double-check that all URLs (ACS, SSO, SLO) are accurate and accessible.
- Metadata:
- Ensure that the metadata exchanged between OrangeHRM and the IdP is correct.
How to setup Google authentication
Overview
This document describes how to enable G Suite Authentication and the steps to be followed to configure G Suite authentication in OrangeHRM.
Version Information
Base OrangeHRM instance version: 6.X
Enabling G Suite Authentication for the Instance
Google configuration
• Start by going to https://console.developers.google.com/project/_/apiui/apis/library. If you are
not logged in to your Google account, enter your credentials and log in.
• If you have not created any projects up to now, the ‘Select Project’ link will be
Displayed as in the image below.
• You can alternatively use an existing project or create a new project from the “Select a project”
• Click the Create button and wait for the project to be created.
• Select your newly created Project from the Projects drop-down at the top.
• Go to “Credentials” In the left sidebar under "APIs & Services"
• Configure Consent Screen
• Application Name - Name of the Instance Domain Name
Eg:- orangehrmlive.com Support Email - Eg: test@orangehrm.us.com
Note: Don't edit the Application Homepage Link. We need to add Authorized domains and Application Name only and save
• In the Application type section of the dialog, select Web application Give the Authorized redirect URI field value as https://test-test-infinity.orangehrm.com/openidauth/openIdCredentials
• Click the Create button.
• A pop-up “OAuth client “ will appear.
• Copy the client ID
• Copy the Client Secret
• Click OK
OrangeHRM Instance Configuration
• Log in as admin for the Intraway OrangeHRM instance and go to Admin->Configuration->Authentication.
• Press Add Provider to create a new Authentication provider. Google+ to be selected and the below information to be added.
• Enter your preferred name in the Name field and enter the same URL you have added to
Authorized redirect URIs (<OrangeHRM hostURL>/openidauth/openIdCredentials).
Then add the Client Id and Client Secret values which were previously noted down. Add Server
account key which was previously noted down as the ID Developer Key and Save.
Adding Users to OrangeHRM Instance
The authorized email addresses need to be used as the username of the login records in OrangeHRM
for Google+ authentication to work.
OrangeHRM OpenID Authentication
Step 1: Prerequisites
- Access to OrangeHRM: You should have administrative access to your OrangeHRM instance.
- OpenID Connect Provider: Choose an OpenID Connect provider that supports the OpenID Connect protocol. Examples include Auth0, Okta, Google Identity Platform, or your own OIDC-compliant server.
Step 2: Configure OpenID Connect Provider
- Create a New OIDC Application:
- Log in to your OpenID Connect provider's admin console.
- Create a new application or client.
- Note down the following details:
- Client ID
- Client Secret
- Authorization Endpoint URL
- Token Endpoint URL
- User Info Endpoint URL
- Redirect URI (Callback URL)
- Configure Scopes and Claims:
- Define the necessary OpenID Connect scopes and claims required for user authentication and authorization.
- Download Provider Metadata:
- Download the OpenID Connect provider's metadata file if available. This file typically contains important configuration details.
Step 3: Configure OrangeHRM
- Access OrangeHRM:
- Log in to your OrangeHRM instance as an administrator.
- Navigate to OpenID Connect Settings:
- Go to Admin > Authentication > OpenID Connect.
- Enable OpenID Connect:
- Toggle the OpenID Connect switch to enable it.
- Configure OpenID Connect Settings:
- Enter the following information:
- Client ID: Enter the Client ID obtained from your OpenID Connect provider.
- Client Secret: Enter the Client Secret obtained from your OpenID Connect provider.
- Issuer URL: Enter the issuer URL of your OpenID Connect provider.
- Authorization Endpoint URL: Enter the Authorization Endpoint URL from your OpenID Connect provider.
- Token Endpoint URL: Enter the Token Endpoint URL from your OpenID Connect provider.
- User Info Endpoint URL: Enter the User Info Endpoint URL from your OpenID Connect provider.
- Redirect URI (Callback URL): Enter the Redirect URI obtained from your OpenID Connect provider.
- Enter the following information:
- Map OIDC Attributes:
- Map OrangeHRM fields to the corresponding attributes from your OpenID Connect provider (e.g., map email, username).
- Save Settings:
- Click "Save" to apply the OpenID Connect settings.
- Test the Configuration:
- Log out of OrangeHRM and try logging in again using the OpenID Connect option.
Step 4: Additional Configuration (Optional)
- User Role Mapping:
- Configure user role mapping between OrangeHRM roles and OpenID Connect groups/roles.
- Attribute Mapping:
- Map additional attributes if needed, such as first name, last name, or custom fields.
Step 5: Troubleshooting
- Logs:
- Check logs in OrangeHRM for any error messages related to the OpenID Connect configuration.
- Credentials:
- Double-check that the Client ID, Client Secret, and other details in OrangeHRM match the credentials obtained from the OpenID Connect provider.
- Redirect URI:
- Ensure that the Redirect URI in OrangeHRM matches the one configured in your OpenID Connect provider.
- Scopes and Claims:
- Confirm that the required OpenID Connect scopes and claims are correctly configured in both OrangeHRM and the provider.