How to add DUO authentication to OTRS

Dont create your support topics here! No new topics with questions allowed!

Moderator: crythias

Forum rules
Dont create your support topics here! No new topics with questions allowed!
Post Reply
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

How to add DUO authentication to OTRS

Post by crythias »

Please note, this is cheating (a bit) and may not necessarily look clean, etc.

This is a first draft and may not be what you consider "done enough" but it gets the job done.

https://duo.com/docs/duoweb is important to follow.

add the perl Duo/Web.pm folder to Kernel/System as Kernel/System/Duo/Web.pm link to Web.pm
Also edit the package line in Web.pm to say Kernel::System::Duo::Web

and the js file (min or full, your choice, but update the html file to reflect the one you choose) to /opt/otrs/var/httpd/httpdocs/js/thirdparty/Duo/
link to js

Basically, I made a document in /opt/otrs/var/httpd/htdocs/common/duocheck.html

Code: Select all

<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
</head>
<body>
<script src="/otrs-web/js/thirdparty/Duo/Duo-Web-v2.js"></script>
<script>
const queryString = window.location.search;
const urlParams = new URLSearchParams(queryString);
const sig_request = urlParams.get('sig_request')
  Duo.init({
    'host': 'api-[yournumber here].duosecurity.com',
    'sig_request': sig_request,
    'post_action': '/otrs/index.pl?Action=Login'
  });
</script>
<iframe id="duo_iframe">
</iframe>
<style>
  #duo_iframe {
    width: 100%;
    min-width: 304px;
    max-width: 620px;
    height: 330px;
    border: none;
  }
</style>
</body>

</html>
And then added a few things to System/Web/InterfaceAgent.pm: (You probably should copy the default InterfaceAgent.pm to Custom/Kernel/System/Web/InterfaceAgent.pm and edit that version, then restart apache/your web browser to get it to see it.)

under use Kernel::System::DateTime;

Code: Select all

use Kernel::System::Duo::Web;
under $PostTwoFactorToken stuff where the GetParams are under sub Login

Code: Select all

        my $SigResponse = $ParamObject->GetParam(
                Param => 'sig_response',
                Raw => 1
        ) || '';
then changed

Code: Select all

        # create AuthObject
        my $AuthObject = $Kernel::OM->Get('Kernel::System::Auth');

        # If there's a sig_response posted, we probably should accept that it's verified
        my $User;
        if ($SigResponse ) {
                $User = Kernel::System::Duo::Web::verify_response('your_ikey', 'your_skey', 'your_akey', $SigResponse);
        } else {
        # check submitted data
        $User = $AuthObject->Auth(
            User           => $PostUser,
            Pw             => $PostPw,
            TwoFactorToken => $PostTwoFactorToken,
        );
        };
and then below...

Code: Select all

        if (!$SigResponse) {
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
        my $sig_request = Kernel::System::Duo::Web::sign_request('your_ikey', 'your_skey', 'your_akey', $User);
        print $LayoutObject->Redirect(
                ExtURL => "/otrs-web/common/duocheck.html?sig_request=$sig_request",
        );
        return;
        }


        # login is successful
        my %UserData = $UserObject->GetUserData(
If you have questions, comments, or concerns about its use or implementation, it doesn't work, etc., please ask in the Help forum: viewtopic.php?f=62&t=41682
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Post Reply