Any way to integrate FreePBX UserMan with SAML?

I was looking at how FreePBX User Management can authenticate against an Active Directory server or LDAP.

At our company, we don’t use those; instead we authenticate into our Windows 10 PCs and into online SaaS like Freshdesk (our ticket system) using Office 365 / Azure “SAML”. I think lots of other Identity-as-a-Service sites like OneLogin, Octa, FoxPass etc use SAML.

With our Freshdesk site, for example, we point it to our Office 365 tenant, and the Freshdesk login page is then intercepted by a Microsoft-hosted log in page instead. Our users simply put in their corporate O365 email address and password, and it authenticates them. SAML can also pass attributes to the application using it.

  1. If I don’t have an Active Directory or LDAP server, is there any way to sync up our O365 user attributes with FreePBX? Can our O365-hosted Exchange server communicate any information to User Management, or vice versa?

  2. Can FreePBX do anything with SAML yet, or could it be considered as a feature request? I’ve attached some screenshots below to show how the process looks:

It can theoretically do anything. You can open a feature request for this but it will be put on the back burner. If you want to submit the work yourself we will be more then willing to accept it.

1 Like

Fair enough, if we do development we’ll submit it.

As a band-aid for now, is there any way to use Asterisk/FreePBX APIs to get the email address of a user, assuming it is entered into either “voicemail email” in Extensions, or “email address” in User Management?

This would be sort of a quick and dirty way to give apps a Single-Sign-On, since email addresses are a good identifier to rally around. For example, our Salesforce app already knows the email address of the user logged in. If the app could ask Asterisk or FreePBX API “hey, [email protected] is using this app, what is his extension and default DID?” then that’d do the trick.

You could try from bash

mysql -sN -uyouruser -pyourpassword -D asterisk -e "select substr(substring_index(destination,',',2),locate(',',destination)+1),extension from incoming where destination like '%$(grep [email protected] /etc/asterisk/voicemail.conf|awk '{print $1}')%'"

#!/usr/bin/env php
if((@include '/etc/freepbx.conf') === false){
 echo "Failed to include configuration\r\n";

print_r(FreePBX::Userman()->getUserByEmail("[email protected]"));
    [id] => 13
    [auth] => freepbx
    [authid] =>
    [username] => 1002
    [description] =>
    [password] => 
    [default_extension] => 1002
    [primary_group] => p
    [fname] => John
    [lname] => Doe
    [displayname] => John Doe
    [title] => Tester
    [company] => Sangoma
    [department] => QA
    [email] => [email protected]
    [cell] => 6025551212
    [work] => 1212
    [home] => 6025558576
    [fax] => 6025559899

Thank you both, I’ll give those a try. They can be executed through ARI, right?

I did find an alternate way; using the ARI command “database show” will output the information on all users; oddly it does not include information on the FreePBX User Email, nor the Voicemail Notification Email, but it does show the dictation email if you enter one:

database show

/AMPUSER/1234/dictate/email : [email protected]

The Salesforce app knows the email of the person logged in, so I was going to have it run the “database show” command and find a matching Dictate email, in order to figure out which extension it belongs to. I’ll try your method though.

No. This is PHP

This isn’t odd. You are talking about two different databases. AsteriskDB (Used for Asterisk) and Asterisk In MySQL (used for FreePBX)

email addresses can appear in various places in FreePBX/Asterisk , as @tm1000 said, the mysql tables, the asterisk sqlite3 astdb and also the flat-form text file voicemail.conf which I used, if you rigorously populate the Usermanager database’ work field appropriately with your “primary DID”, then you could rewrite my bash line more simply as:-

mysql -sN -uyouruser -pyourpassword -D asterisk -e "select work,default_extension from freepbx_users WHERE email='[email protected]'"

The php version is in effect a wrapper around effectively the same mysql WHERE query but selects all the fields.

So choose your language and which of the various email address you want to “pin” your query to, and generate the URI that your CRM likes to see.