Administrative Logins using SSO

We have more and more FreePBX boxes, and likely more on the way and I am wondering what the best way to manage them could be? We will have roughly 20 admins that will need various access to different modules. The built in controls work fine for this, but how do I propagate this across the multiple boxes, so I don’t have manage access manually?

Also is there a SSO option? Many vendor apps we are using are starting to integrate in a basic way with Microsoft 365 for example. We would need to put “user2056” on the box, but they could sign in with their Microsoft 365 credential (which is also “user2056”) and then they are logged into the matching local account.

What are others doing in this space? Any ideas that anyone can share? Thanks in advance!

  • Enter their user name and permissions and it populates across all boxes
  • One credential to use across all boxes, with a password that stays up to date when changed.

No SSO option that I’m aware of, but AD/LDAP integration was easy to setup in my pbxact systems. Group membership can control admin privilege with the same granularity that is offered by direct users.

If you are pure O365/AzureAD (no onsite AD) it gets more complicated, but still possible with AzureAD’s ldap connectors.

I’d still recommend having one local admin user as a break-glass account in case a system can’t access the directory.

1 Like

Do you have any guidance on how to do this? Documents? Thanks!

Not a lot of guidance past what’s in the freepbx wiki

The second link covers using fwconsole userman to sync the directory (ie something like fwconsole userman --sync 2 --force --verbose) which will be invaluable when first setting up and debugging.

There’s a link from the first article to an offsite resource on writing ldap filters/queries, which is fairly good. If you don’t have experience writing ldap filters/queries you’ll have a lot of reading ahead of you, they’re extremely flexible but as a result highly dependent on your goals and how your directory is organized.

I tried to keep mine simple, so for my setup I filter users for membership in a “voip users” group, and then synchronize groups that are in a “voip groups” OU.
Once synchronized, apply permissions to the groups pulled from the directory in userman.
My user and group filters look something like (some psuedo code/from memory here, don’t use verbatim)

User DN =
User object filter = (&(objectCategory=Person)(userPrincipalName=*)(memberOf=cn=voip users,CN=Users,DC=company,DC=com))

Group DN = ou=voip groups
Group object filter = objectCategory=group

I could never get authentication to work on other values than sAMAccount, I really wanted to be able to use upn so users would login with their email account, but was never able to get it to work.

If you’re only using AD for admins and not end users/extensions, you’ll want to make sure to disable “Create Missing Extensions”

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.