OTRS SSO via Auth0/OIDC/Microsoft Azure

Dont create your support topics here! No new topics with questions allowed!

Moderator: crythias

Forum rules
Dont create your support topics here! No new topics with questions allowed!
Post Reply
crythias
Moderator
Posts: 10168
Joined: 04 May 2010, 18:38
Znuny / OTRS Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

OTRS SSO via Auth0/OIDC/Microsoft Azure

Post by crythias »

If you want to use Auth0 for OIDC, it's not terribly difficult, but you do have to figure out a couple of things.

Within Auth0, set up a multi-page app.

Perhaps the most important issue I struggled with is that multiple OIDC providers probably won't work on the same box. Maybe someone can figure out, but because I had all one virtualhost/config, it just didn't allow me to filter one "app" on my OTRS box and then another "app" separately.

Maybe/maybe it won't make any difference to you, but what made it work for me is protecting the entire HTML DocumentRoot (/) and then unblocking where I didn't need OIDC. For good or bad, it's the same protection for the entire website except for the exceptions.

For the OTRS side, it's pretty easy to configure. Change Kernel\Config.pm to include (for agents):

Code: Select all

    $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth'; 
This is a banhammer type of config change. Agents now require to be authenticated (and with OIDC, won't actually be able to go anywhere anyway without the OIDC login)

in apache2 (httpd) / mods_enabled/auth_openidc.conf:

Code: Select all

OIDCProviderIssuer https://[youdsite].auth0.com
OIDCProviderAuthorizationEndpoint https://[yoursite].auth0.com/authorize
OIDCProviderTokenEndpoint https://[yoursite].auth0.com/oauth/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://[yoursite].auth0.com/userinfo

OIDCProviderMetadataURL https://[yoursite].auth0.com/.well-known/openid-configuration

OIDCClientID [your client id]

OIDCClientSecret [APP Secret]
OIDCScope "openid email profile"
OIDCRedirectURI https://path.to.your.otrs.domain/

OIDCCryptoPassphrase MakeOneUpForYourself

OIDCCookiePath /


<Location />
   AuthType openid-connect
   Require valid-user
   LogLevel debug
</Location>

<Location /otrs>
   AuthType openid-connect
   Require valid-user
   LogLevel debug
</Location>
<Files "customer.pl">
   Satisfy any
   Require all granted
</Files>
customer.pl being open to the world (if it makes sense to do that) so customers aren't locked out of being able to manage their own tickets.


Also may need to comment zzz_otrs in <Location /otrs>:

Code: Select all

            <IfVersion >= 2.4>
#                Require all granted
            </IfVersion>
And I changed Kernel/System/Auth/HTTPBasicAuth.pm:

Code: Select all

    my $User       = $ENV{'OIDC_CLAIM_nickname'};


Please ask questions in the forums.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
root
Administrator
Posts: 3183
Joined: 18 Dec 2007, 12:23
Znuny / OTRS Version: Znuny LTS and 4/5/6
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: OTRS SSO via Auth0/OIDC/Microsoft Azure

Post by root »

Hi,

I recommend using the proper configuration for OIDCRemoteUserClaim in the Apache configuration instead of modifying Kernel/System/Auth/HTTPBasicAuth.pm
By using this configuration the wanted claim's content - nickname - will be the content of httpd's REMOTE_USER

- Roy
Znuny LTS and ((OTRS) Community Edition CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
Post Reply