From: "Florian Edlhuber" To: "otrs" Sent: Monday, August 28, 2017 8:01:13 AM Subject: Re: [otrs] auto-login for customers

I would recommend a real single sign on. You'll find ne example (Apache, Kerberos + LDAP) here [ https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_... | https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_... ]

Yes, it's a way, but it has a different approach. I see that feature in lot's of project and this will discourage to save user password in some place when you have to manage this type of integration. example Plesk: https://support.plesk.com/hc/en-us/articles/213411289-How-to-create-autologi... For OTRS, I submitted the idea to the https://otrsteam.ideascale.com/a/idea-v2/543907 if someone else in the world does need it. Vote it. A disruptive but interesting way to increase the awareness of this security aspect, it is to remove, in a future release, the capability of auto-login passing the "user/password" to the customer.pl login form. I think that the project will collect lots of complaints...but all these unhappy people were saving the passwords of their users and passing it in clear text to an url... Regards, M.