Hi Kris, if you are in a Kerberos environment (like Microsoft Active Directory) you could use Kerberos to authenticate the users to OTRS and they don't need to insert any usernames/passwords. I think there are some how-tos on the web how to do this. - Patrick ----------------ursprüngliche Nachricht----------------- Von: "Gerald Young" crythias@gmail.com An: "User questions and discussions about OTRS." otrs@otrs.org Datum: Sun, 11 May 2014 09:10:22 -0400 -------------------------------------------------

...

Is there an API function where I can obtain a token of some sort for a specific username and add the token to a URL which will allow me to redirect the user into OTRS while allowing them to bypass the login prompt?

Yes. Hello,

We have a central portal that users are logged into. I currently have the portal pulling a list of the users recent OTRS tickets and a link which directs them into OTRS. However, they have to log into OTRS using their username and password.

Is there an API function where I can obtain a token of some sort for a specific username and add the token to a URL which will allow me to redirect the user into OTRS while allowing them to bypass the login prompt?

Thanks, Kris

-------------------------------------------------------------------- - OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

__________________________________________________

-------------------------------------------------------------------- - OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

-- Steinbeis Transferzentrum Softwaretechnik Patrick Banholzer patrick.banholzer@stz-softwaretechnik.de Mobil: +49 160 5302978 Fax: +49-711 305111-12 www.stz-softwaretechnik.de Entennest 2 73730 Esslingen STZ-Leiter: Prof. Dr. Joachim Goll Zentrale: Steinbeis GmbH & Co. KG für Technologietransfer Geschäftsführung/Management Board: Prof. Dr. Michael Auer (Vorsitz/Chair), Dipl.-Kfm. Manfred Mattulat Registergericht Stuttgart, HRA 12 480 Komplementär: Steinbeis-Verwaltungs-GmbH, Registergericht Stuttgart HRB 18 715 USt-IdNr. DE 190606404

I find a simple "yes" to be such a helpful response. *sarcasm off* I have been looking for the same solution for some time and have run across a few articles which provide some hints at how to get this done. http://osdir.com/ml/otrs.devel/2008-06/msg00005.html - indicates that this is a combination between mod_auth_kerb and the configuration of HTTPBasicAuth, but does not specify which files specifically should be modified nor detailed instructions. http://forums.otterhub.org/viewtopic.php?f=81&t=15422 provides a more detailed example of how to do this. This appears to be the most promising lead for me. One of the more helpful links was http://ingenious-excerpts.blogspot.fr/2011/08/apache-on-linux-and-single-sig... assuming you do not already have samba configured on your linux box. https://www.mail-archive.com/otrs@otrs.org/msg29983.html appears to be a much more detailed effort at defining how to do this. I have not tried any of these methods yet, but am going to try the last one as it looks more complete. Let me know if any of them work for you. Marty From: Gerald Young [mailto:crythias@gmail.com] Sent: Sunday, May 11, 2014 8:10 AM To: User questions and discussions about OTRS. Subject: Re: [otrs] SSO

Is there an API function where I can obtain a token of some sort for a specific username and add the token to a URL which will allow me to redirect the user into OTRS while allowing them to bypass the login prompt?

Yes. Hello, We have a central portal that users are logged into. I currently have the portal pulling a list of the users recent OTRS tickets and a link which directs them into OTRS. However, they have to log into OTRS using their username and password. Is there an API function where I can obtain a token of some sort for a specific username and add the token to a URL which will allow me to redirect the user into OTRS while allowing them to bypass the login prompt? Thanks, Kris --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Thanks Gerald. I know you do always come through with help. :) I notice the link you provided uses RADIUS for authentication instead of the others I pointed to that use Kerberos. Would you say that this is a simpler and more supported way of handling the SSO issue? I have LDAP integration with AD, so passwords work, but the question always comes up of “why can’t it just recognize me and take me to the page?” I find that to be a little trickier when integrating Linux into the Windows environment to the point that it scares me that I will crash my production system when trying. RADIUS would definitely be the simpler solution in my opinion to the mod_auth_kerb solution, but I value your opinion on the matter because it seems as though you have some familiarity in this regard. Thanks again! P.S. Yes or no are indeed the expected answers. ;) From: Gerald Young [mailto:crythias@gmail.com] Sent: Tuesday, May 13, 2014 9:51 AM To: User questions and discussions about OTRS. Subject: Re: [otrs] SSO

I find a simple "yes" to be such a helpful response. *sarcasm off* See, :) And look what happened. The post had been sitting for a week, I say "Yes" and then everyone pipes in...

First, the question was answered because the question could only be answered with a Yes or No. Second, nobody here pointed to the docs for external authentication. http://otrs.github.io/doc/manual/admin/3.3/en/html/external-backends.html#cu... I don't mind providing more information, but the question has to be better. Like, "How do I provide a way for [specific portal software] to provide external authentication to OTRS?" Instead, we have, "Is there an API ..." Sure, there's an API. But there's no practical way to answer the question as asked. With stock OTRS, the only way to externally authenticate is via HTTPBasicAuth. Single Sign On is a bit more complicated to answer for an unknown entity. On Tue, May 13, 2014 at 10:14 AM, Marty Hillman mailto:mhillman@equuscs.com> wrote: I find a simple "yes" to be such a helpful response. *sarcasm off* I have been looking for the same solution for some time and have run across a few articles which provide some hints at how to get this done. http://osdir.com/ml/otrs.devel/2008-06/msg00005.html - indicates that this is a combination between mod_auth_kerb and the configuration of HTTPBasicAuth, but does not specify which files specifically should be modified nor detailed instructions. http://forums.otterhub.org/viewtopic.php?f=81&t=15422 provides a more detailed example of how to do this. This appears to be the most promising lead for me. One of the more helpful links was http://ingenious-excerpts.blogspot.fr/2011/08/apache-on-linux-and-single-sig... assuming you do not already have samba configured on your linux box. https://www.mail-archive.com/otrs@otrs.org/msg29983.html appears to be a much more detailed effort at defining how to do this. I have not tried any of these methods yet, but am going to try the last one as it looks more complete. Let me know if any of them work for you. Marty From: Gerald Young [mailto:crythias@gmail.commailto:crythias@gmail.com] Sent: Sunday, May 11, 2014 8:10 AM To: User questions and discussions about OTRS. Subject: Re: [otrs] SSO

Is there an API function where I can obtain a token of some sort for a specific username and add the token to a URL which will allow me to redirect the user into OTRS while allowing them to bypass the login prompt?

Yes. Hello, We have a central portal that users are logged into. I currently have the portal pulling a list of the users recent OTRS tickets and a link which directs them into OTRS. However, they have to log into OTRS using their username and password. Is there an API function where I can obtain a token of some sort for a specific username and add the token to a URL which will allow me to redirect the user into OTRS while allowing them to bypass the login prompt? Thanks, Kris --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Hi, David, Since I'm constantly securing Cisco VPN's via RADIUS with Windows Network Policy Server, I have a recipe that works quite well for that purpose, making the VPN logins follow desktop passwords and using AD group membership to address allowed VPN users. I don't mind providing such information, if you're interested. However, without that information, RADIUS is indeed not for the faint of heart. On Tue, May 13, 2014 at 11:44 AM, David Boyes wrote:

I notice the link you provided uses RADIUS for authentication instead of the others I pointed to that use Kerberos. Would you say that this is a simpler and more supported way of handling the SSO issue?

I’m not Gerald, but I’ll speak up: No, unless you have another REALLY compelling reason to use RADIUS (like a dialup terminal server that uses it for AAA), it’s not the direction you want to go. RADIUS is REALLY complicated to get working right, and it’s increasingly rare. Kerberos/AD (AD is just a integrated Kerberos/LDAP server) is the way to go.

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

As I mentioned, I haven't set up OTRS with RADIUS. I will only be able to tell you what I know about Network Policy Server. Any other RADIUS server implementations ... I don't know how to answer the question. The way I work NPS: In the Client section, I create an arbitrary friendly name. Remember what it is I include the IP address of the device asking for the request I create a shared secret (remember what it is) and I make sure Unencrypted is checked on the authentication methods (already you can see a warning herein.) In the Policy section: I make sure that the Client Friendly name is matched (optional: and that group membership applies). For Config.pm: # This is example configuration to auth. agents against a radius server $Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::Radius'; $Self->{'Customer::AuthModule::Radius::Host'} = 'radiushost'; #the server providing NPS $Self->{'Customer::AuthModule::Radius::Password'} = 'radiussecret'; #The shared secret from above In theory, this should be adequate. If LDAP authentication works for user cred sign on, Radius should as well, for the same credentials. Again, this is not SSO, this is only using RADIUS for authentication. On Tue, May 13, 2014 at 11:59 AM, Darshak Modi(darshak.modi) < darshak.modi@elitecore.com> wrote:

HI Gerald,

Sorry I jumped to this topic. I would be interested to use RADIUS for such purpose. I tried earlier but not sure how / which field windows AD uses for password with radius. I guess we need to make logical mapping of password field. In Radius the request comes in User-Password/CHAP Password and how to make use with AD not sure.

My radius does search but it results in saying password failures. ( LDAP works fine though ).

On 5/13/2014 9:23 PM, Gerald Young wrote:

Hi, David,

Since I'm constantly securing Cisco VPN's via RADIUS with Windows Network Policy Server, I have a recipe that works quite well for that purpose, making the VPN logins follow desktop passwords and using AD group membership to address allowed VPN users.

I don't mind providing such information, if you're interested. However, without that information, RADIUS is indeed not for the faint of heart.

On Tue, May 13, 2014 at 11:44 AM, David Boyes wrote:

...

I notice the link you provided uses RADIUS for authentication instead of the others I pointed to that use Kerberos. Would you say that this is a simpler and more supported way of handling the SSO issue?

I’m not Gerald, but I’ll speak up: No, unless you have another REALLY compelling reason to use RADIUS (like a dialup terminal server that uses it for AAA), it’s not the direction you want to go. RADIUS is REALLY complicated to get working right, and it’s increasingly rare. Kerberos/AD (AD is just a integrated Kerberos/LDAP server) is the way to go.

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs