Odoo is a suite of business management software tools including, for example, CRM, e-commerce, billing, accounting, manufacturing, warehouse, project management, and inventory management.
This guide explains how to authenticate your Odoo users using LemonLDAP::NG ‘s SAML provider.
Make sure you have set up LemonLDAP::NG a SAML IDP
Odoo requires your public SAML Signature key to be in BEGIN CERTIFICATE format, if this is not the case, you need to convert your SAML key to a certificate)
Odoo requires LL::NG 2.0.14 in order to handle RelayState correctly
On the Odoo side, you need to install the
auth_saml module from OCA:
This module requires the
xmlsec1 python dependencies.
After installing the module, you will see two new menus in the Odoo admin:
- Settings » Users & Companies » SAML Providers
- And a new SAML tab in Settings » Users & Companies » Users
Creating a new SAML Provider¶
Create a new SAML provider in Settings » Users & Companies » SAML Providers
- Choose a name
- Copy the metadata from https://auth.example.com/saml/metadata/idp in the Identity Provider Metadata field
- Import a certificate and a private key in the Odoo Public Certificate and Odoo Private Key fields
To generate a key/certificate pair, you can run the following command:
openssl req -x509 -newkey rsa:4096 -keyout odoo-key.pem -out odoo-cert.pem -sha256 -days 3650 -nodes
- Select a signature method in the Signature Algorithm, such as SIG_RSA_SHA256
- If you do not want to use the email address to match between LL::NG and Odoo accounts, set the Identity Provider matching attribute to a different value
- All other fields may be left to default values
For each user you want to enable SAML on, you need to edit them in Settings » Users & Companies » Users
In the SAML tab, set the SAML provider you just created, and their email address as the identifier.
Add a new new SAML Service Provider to the LemonLDAP::NG configuration with the following parameters:
- Metadata * Copy the Metadata found at the URL referenced in Odoo’s Settings » Users & Companies » SAML Providers menu » Your provider » Metadata URL
- Exported Attributes
- Declare the attribute that you set in Odoo’s Identity Provider matching attribute
- If you are using the email, you don’t need to declare anything