I was asked to document our steps to 'Shibbolize' our otrs install.
At this point it is only used for Agents - we have yet to address the customer portion of OTRS.
This document assumes that you have a working Shibboleth service.
In your Apache conf file:
<Location /otrs>
#Declare type of authentication
AuthType shibboleth
#Require Shib Session
ShibRequireSession On
#Require user to meet all require directives
ShibRequireAll On
#Require any valid ID
require valid-user
ErrorDocument 403 /otrs/index.pl
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlOptions +ParseHeaders
PerlOptions +SetupEnv
Order allow,deny
Allow from all
</Location>
In Config.pm set this:
$Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
Because we wanted to use id as the login rather than id@example.com we use this to strip out the @example.com part :
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '^(.+?)@.+?$';
This allows Single Sign On but only for Authentication - you still need to add the Agents to the local DB for Authorization.
A little note about authentication with Shibboleth: I had to create an additional Auth Module based on the HTTPBasicAuth.pm because our shibboleth installation writes another enviroinment variable instead of $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER}. All I did is copy HTTPBasicAuth.pm in another file and changed $ENV{HTTP_REMOTE_USER} with $ENV{my_enviroinment_var}.
cheers
Several OTRS 2.4 and 3.0 installations. All on CentOS /w Apache & MySql.
This is excellent! Have you figured out how to address the customer portion? I noticed that if you use the HTTPBasicAuth, then your customers are forced to also go through the Shibboleth authentication. My customers are external so they do not have a Shibboleth account. I would like for OTRS to continue using the local DB for my customers.