Below is the recipe for getting OTRS to work with federated authentication.
I used Ubuntu 14.04, OTRS 3.3.8 and mod_auth_mellon 0.7.
OTRS OTRS is the Open-source Ticket Request System, which is a Perl application that runs on an Apache web server. OTRS has two different web interfaces:
- The The customer interface interface. This is for people who submit tickets.
- The The agent interface interface. This is for people working on tickets ('admins' if you will)
The goal is to have both interfaces use federated authentication. This is already possible with the default OTRS.
OTRS can use various authentication methods, such as a local database, or Active Directory/LDAP. It is also possible to use external authentication, in which case OTRS does not take responsibility for authentication any more, but instead relies on Apache environment headers to provide a username. The is the way forward if you want to use SAML or federated authentication, but there are some issues with.
The biggest issue is that is not However, because of the federated authentication, it is not possible to provision accounts for customers in OTRS before they have logged in. This is because there is no way to know of knowing a user's details . So we want the accounts to be auto-provisioned. This is not possible with the default OTRS, so I created a patch that adds two custom authentication methods, which are based on the bundled HTTPBasicAuth.pm methoduntil they have authenticated. To overcome this I wrote two authentication modules for OTRS.
Below is the recipe for getting OTRS to work with federated authentication using Ubuntu 14.04, OTRS 3.3.8 and mod_auth_mellon 0.7. If you manage to implement it on another combination of software, please let me know.
Prerequisites
Before you start, make sure you have these bits in place:
...
Once that is done, you should be able to authenticate by going to https://otrs.example.org/mellon.
Adding the new methods to OTRS
Download the archive and unpack it over your OTRS tree. It contains two files, both called HTTPBasicAuthMellon.pm, which go into System/Kernel/Auth and System/Kernel/CustomerAuth.
Once they're there, change your configuration (System/Config.pm) to include these statements:
| Code Block | ||||
|---|---|---|---|---|
| ||||
# Customer
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuthMellon';
# Customer user are automagically created (auto-provisioned) using the environment vars below
$Self->{'Customer::AuthModule::HTTPBasicAuthMellon::UsernameEnvVar'} = 'MELLON_eduPersonPrincipalName';
$Self->{'Customer::AuthModule::HTTPBasicAuthMellon::MailEnvVar'} = 'MELLON_mail';
$Self->{'Customer::AuthModule::HTTPBasicAuthMellon::FirstNameEnvVar'} = 'MELLON_givenName';
$Self->{'Customer::AuthModule::HTTPBasicAuthMellon::LastNameEnvVar'} = 'MELLON_sn';
$Self->{'CustomerPanelLoginURL'} = 'https://otrs.example.com/mellon/login?ReturnTo=/customer.pl';
$Self->{'CustomerPanelLogoutURL'} = 'https://otrs.example.com/mellon/logout?ReturnTo=http://www.terena.org';
# Because auto-provisioned users will all have the same e-mail address
$Self->{CustomerUser}->{CustomerUserEmailUniqCheck} = 0;
# Agents are NOT auto-provisioned. The will have to be created manually.
# To find their username, they could first log in as a customer, so that you can see their username
# in the Customer User Manager overview.
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuthMellon';
# Only this one is needed
$Self->{'AuthModule::HTTPBasicAuthMellon::UsernameEnvVar'} = 'MELLON_eduPersonPrincipalName';
$Self->{'LoginURL'} = 'https://otrs.example.com/mellon/login?ReturnTo=/index.pl';
$Self->{'LogoutURL'} = 'https://otrs.example.com/mellon/logout?ReturnTo=http://www.terena.org';
|
At this point, you should be able to log in to the site as an admin with your new account.
If you log in to the customer page, your account will be automatically created.
I don't even trust my own Perl skills, so use all of this with care 