custom cookie based Frontend::Customer::Auth authentication
Hi, In our environment we use Cookies for single sign on. And we have Perl code that extracts the username from the cookie and authenticates the user by checking the signature embedded in the cookie. How can such a cookie based custom SSO work with OTRS? I am not sure if the following starting points would work and what other ways there may be. 1) Is this possible?: set Framework - Frontend::Customer::Auth to "HTTPBasicAuth" and modify Kernel/System/CustomerAuth/HTTPBasicAuth.pm to read the SSO Cookie and set my $User = ... based on the result? How would I obtain the cookie in HTTPBasicAuth.pm ? 2) Or this? : Also set HTTPBasicAuth in OTRS and process the cookie separately in Apache and set REMOTE_USER =making it look like Basic Authentication for OTRS. If yes, how can this be done? Thank you in advance for any tips
Hello, First option you described is the way to go, but: 1. Definitely do not edit exiting HTTPBasicAuth module but create your own Auth module (you can create copy of HTTPBasicAuth) Editing default OTRS modules will cause you troubles during upgrades. 2. Cookies are not the best way how to implement SSO, since they can be stolen very easily. Martin Martin Jerga ITSM Consultant Tempest a.s. tel: +421917792942 -----Original Message----- From: otrs [mailto:otrs-bounces@lists.otrs.org] On Behalf Of System Administrator Sent: Saturday, August 20, 2016 8:32 PM To: otrs@lists.otrs.org Subject: [otrs] custom cookie based Frontend::Customer::Auth authentication Hi, In our environment we use Cookies for single sign on. And we have Perl code that extracts the username from the cookie and authenticates the user by checking the signature embedded in the cookie. How can such a cookie based custom SSO work with OTRS? I am not sure if the following starting points would work and what other ways there may be. 1) Is this possible?: set Framework - Frontend::Customer::Auth to "HTTPBasicAuth" and modify Kernel/System/CustomerAuth/HTTPBasicAuth.pm to read the SSO Cookie and set my $User = ... based on the result? How would I obtain the cookie in HTTPBasicAuth.pm ? 2) Or this? : Also set HTTPBasicAuth in OTRS and process the cookie separately in Apache and set REMOTE_USER =making it look like Basic Authentication for OTRS. If yes, how can this be done? Thank you in advance for any tips --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
1) Ok, that makes sense, I will follow your advice and build a new
module based on a copy of HTTPBasicAuth.pm and see how that works.
2) Noted. The SSO cannot be replaced quickly but I'm aware it's not
ideal - it'll be a future project.
Many Thanks!!!
On Sat, Aug 20, 2016 at 2:28 PM, Martin JERGA
Hello,
First option you described is the way to go, but:
1. Definitely do not edit exiting HTTPBasicAuth module but create your own Auth module (you can create copy of HTTPBasicAuth) Editing default OTRS modules will cause you troubles during upgrades.
2. Cookies are not the best way how to implement SSO, since they can be stolen very easily.
Martin
Martin Jerga ITSM Consultant Tempest a.s. tel: +421917792942
-----Original Message----- From: otrs [mailto:otrs-bounces@lists.otrs.org] On Behalf Of System Administrator Sent: Saturday, August 20, 2016 8:32 PM To: otrs@lists.otrs.org Subject: [otrs] custom cookie based Frontend::Customer::Auth authentication
Hi,
In our environment we use Cookies for single sign on. And we have Perl code that extracts the username from the cookie and authenticates the user by checking the signature embedded in the cookie.
How can such a cookie based custom SSO work with OTRS?
I am not sure if the following starting points would work and what other ways there may be.
1) Is this possible?: set Framework - Frontend::Customer::Auth to "HTTPBasicAuth" and modify Kernel/System/CustomerAuth/HTTPBasicAuth.pm to read the SSO Cookie and set my $User = ... based on the result? How would I obtain the cookie in HTTPBasicAuth.pm ?
2) Or this? : Also set HTTPBasicAuth in OTRS and process the cookie separately in Apache and set REMOTE_USER =making it look like Basic Authentication for OTRS. If yes, how can this be done?
Thank you in advance for any tips --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
participants (2)
-
Martin JERGA -
System Administrator