Hi, I am a seasoned maintainer of OTRS installation in Croatian University Computing Centre in Zagreb (Srce, http://www.srce.hr/english/index.html). I've made some smaller contributions to OTRS earlier and now I would like to enable the users from all over Europe (eduGAIN) to use their credentials to access this OTRS installation, and possibly others. I have two questions: 1) Which is the best way to accomplish that? 2) Anybody interested to include that feature in the OTRS code-base? For the first, we're experimenting with excellent PHP package called simpleSAMLphp to add support for sign-on through SAML-based service (that is mandatory). Support for OASIS SAML is much more mature in PHP than it is in Perl (currently, my opinion). So we took path to use PHP for that purpose through mechanism of HTTP redirects, HTML form redirects (JavaScript submit actions). On server side we're using PHP::Session Perl module to access session data created by PHP code which handles session creation automatically. It's a bit messy, though it works fine. So, a module called Kernel::System::Auth::simpleSAMLphpCustomerAuth.pm (for example, made as a copy of LDAP.pm) checks what it has in session variables which it accesses through the methods provided by PHP::Session module, and if everything is ok, it gives access to authenticated user. Since the relation between OTRS and the Customer is nontrivial, I think it would be good to create local user account in the database. Right? For Agent Users we do it the same way -- just an additional check to session state is made (user_entitlement). Only automatic enrollment is done automatically, but activating group membership / adding privileges is to be carried manually later on by real Agent Administrator User. Would that be ok? I would like to do it nice and clean so any help is welcome! Kind regards, Damir Dzeko