Multi-Factor Authentication (2FA/MFA) for Snipe-IT

Last updated on October 16, 2024

Overview of MFA for Snipe-IT

The purpose of this document is to enable Rublon Two-Factor Authentication (2FA) for users logging in to Snipe-IT. In order to achieve that, you have to use Rublon Access Gateway. All required steps will be described in this document.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	✔	N/A
Passcode	✔	N/A
SMS Passcode	✔	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	✔	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before you start

You need to install and configure Rublon Access Gateway itself before configuring Snipe-IT to work with it. Please read the Rublon Access Gateway documentation and follow the steps in Installation and Configuration sections. Afterward, follow the Configuration section in this document.

Configuration of MFA for Snipe-IT

Follow these steps to enable Rublon 2FA in Snipe-IT.

Snipe-IT

1. Log in to Snipe-IT.

2. Click the Admin Settings cog icon in the upper-right corner and then click the SAML tile.

Note

Admin Settings are available only to superadmins.

3. Fill in the form and click Save to add your SAML configuration. Refer to the following image and table.

SAML Integration	Check.
SAML IdP Metadata	Paste the entire contents of the metadata file from Rublon Access Gateway (Applications → Information for configuring applications with Rublon Access Gateway → DOWNLOAD METADATA).
Attribute Mapping – Username	N/A. Leave empty.
SAML Force Login	Check to make SAML the primary login. We recommend you test your integration first before checking this checkbox.
SAML Single Log Out	Check.
SAML Custom Settings	N/A. Leave empty.

4. Write down:

Entity ID
Assertion Consumer Service (ACS) URL
Single Logout Service (SLS) URL

You are going to need these values later when configuring Snipe-IT in the Rublon Access Gateway.

Note

Ensure that all Usernames of your users equal their email addresses in your IdP (authentication source).

For example, if user Bob has an email address bob@example.com assigned to them in Active Directory, then Bob’s Username in Snipe-IT must be bob@example.com.

You can change Usernames of your users at https://example.snipe-it.io/users (replace example with your subdomain).

Rublon Access Gateway

1. In the Rublon Access Gateway, go to Applications → Add application.

2. Fill in the form and click SAVE to add a new application. Refer to the following image and table.

Application name	Enter a name for the application, e.g. Snipe-IT. The name will be displayed during Rublon 2FA.
Entity ID	Enter the value of Entity ID from your SAML Settings in Snipe-IT. This is one of the values you have written down before.
Assertion Consumer Service	Enter the value of Assertion Consumer Service (ACS) URL from your SAML Settings in Snipe-IT. This is one of the values you have written down before.
Single Logout Service	Enter the value of Single Logout Service (SLS) URL from your SAML Settings in Snipe-IT. This is one of the values you have written down before.
NameID format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
NameID attribute	mail
Send Attributes	NameID
Signature algorithm	sha-256
Validate Authn Request	Uncheck.
Sign response	Check.
Sign assertion	Uncheck.
Certificate for signing	Select the certificate you have downloaded from Applications → Information for configuring applications with Rublon Access Gateway → DOWNLOAD CERTIFICATE.

3. Your configuration is now complete. You can log in to Snipe-IT with Rublon 2FA.

Testing MFA for Snipe-IT

1. Go to the Snipe-IT login page: https://example.snipe-it.io (replace example with your subdomain).

2. Click Login via SAML.

3. You will be redirected to the Rublon Access Gateway login page.

4. Provide your username and password. Click SIGN IN. A window will appear with a selection of various 2FA options from Rublon. Let’s choose Mobile Push.