Trying to fix SAML module "otrs-saml2sp" for 7.0

[KevP]

Hey all,

I've done a little module dev before but it was a long time ago.

I'm trying to get this OTRS 5 plug-in working on Znuny 7.0 authenticating to Azure AD: https://github.com/restena-ma/otrs-saml2sp/

I've debugged and resolved a few issues and it's now redirecting, authenticating and returning correctly, it also validates the response SAML assertion, but then I just get:

Code: Select all

ERROR: Znuny-CGI-57 Perl: 5.34.0 OS: linux Time: Tue May 9 14:40:12 2023

 Message: Need User!

 RemoteAddress: w.x.y.z
 RequestURI: /znuny/index.pl?Action=Login

 Traceback (103132):
   Module: Kernel::System::Auth::DB::Auth Line: 79
   Module: Kernel::System::Auth::Auth Line: 164
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 249
   Module: ModPerl::ROOT::ModPerl::Registry::opt_znuny_bin_cgi_2dbin_index_2epl::handler Line: 39
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32

ERROR: Znuny-CGI-57 Perl: 5.34.0 OS: linux Time: Tue May 9 14:40:12 2023

 Message: Need UserLogin or UserID!

 RemoteAddress: w.x.y.z
 RequestURI: /znuny/index.pl?Action=Login

 Traceback (103132):
   Module: Kernel::System::User::UserLookup Line: 1001
   Module: Kernel::System::Auth::Auth Line: 259
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 249
   Module: ModPerl::ROOT::ModPerl::Registry::opt_znuny_bin_cgi_2dbin_index_2epl::handler Line: 39
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32

It's nearly there, just need to get the plug-in to do the last step and pass user details over to Znuny. Response handler code is here: https://github.com/restena-ma/otrs-saml ... esponse.pm

Any help with this would be appreciated, especially if you've worked with the authentication part of Znuny.

[root]

Hi,

I never used this module in production, but if you are not required to have multiple authentication methods, I recommend using mod_auth_mellon for SAML authentication.

- Roy

[KevP]

Okay I've set that up now and it works fine for Agent logins but not for customers. I will need customer portal to work in the future, so I still think the SAML module is a better and easier to deploy solution.

Any help with it from anyone would be appreciated, hopefully it's an easy fix.

[root]

Hi,

The module you mentioned works only for agents. That's why I recommend mod_auth_mellon.

- Roy

[KevP]

Sorry, I was not clear. I only want SAML for Agents, the customer portal will be public facing and no SSO is required. Therefore the mod_mellon_auth isn't right for me in the long run (as it enforces SSO on both Agent and Customer portals) and hence why I'm still looking to patch the "otrs-saml2sp" module.

[root]

Hi,

My bad. The trick with mod_auth_mellon is pretty simple when you want it only for agents. You protect index.pl (agent interface) with
<Location /znuny/index.pl>
</Location>
via the Apache configuration.

I do not recommend to apply it to / or /otrs since every request has to pass it or for the later on the generic interface and public FAQ would be blocked.

- Roy

[KevP]

I'll give that a go Roy, thanks.

[KevP]

No luck Roy,

If I change the apache conf file to use that location then for ALL requests I get an apache error of:

Code: Select all

[Thu May 11 08:40:52.513712 2023] [auth_mellon:error] [pid 1226] [client w.x.y.z:55522] Error, URI "/mellon/login" has no IdP's defined, referer: https://securityissues.viotas.com/znuny/index.pl

and the same for all URLs, customer or agent.

I also commented out the lines in Config.pm relating to the customer portal redirect and deleted the cache to no effect.

From a quick search it's something to do with URL rewrite, but not sure if Znuny uses that.

[root]

Hi,

Can you post the relevant parts of your Apache configuration?

- Roy

[KevP]

With the server name redacted:

Code: Select all

cat /etc/apache2/conf-enabled/auth_mellon.conf
<location /znuny/index.pl>
MellonSPPrivateKeyFile /etc/apache2/mellon/mellon.key
MellonSPCertFile /etc/apache2/mellon/mellon.cert
MellonSPMetadataFile /etc/apache2/mellon/mellon_metadata.xml
MellonIdPMetadataFile /etc/apache2/mellon/AzureAD_metadata.xml
MellonEndpointPath /mellon
MellonEnable "info"
</Location>

Code: Select all

cat /etc/apache2/mods-enabled/auth_mellon.conf
# MellonCacheSize sets the maximum number of sessions which can be active
# at once. When mod_auth_mellon reaches this limit, it will begin removing
# the least recently used sessions.
# Default: MellonCacheSize 100
#MellonCacheSize 100

# MellonPostDirectory is the full path of a directory where POST requests
# are saved during authentication. This directory must writeable by the
# Apache user. It should not be writeable (or readable) by other users.
MellonPostDirectory "/var/cache/apache2/mod_auth_mellon/"

Code: Select all

grep "AuthModule\|mellon" /opt/otrs/Kernel/Config.pm
    #$Self->{'Customer::AuthModule'}   = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
    #$Self->{'CustomerPanelLoginURL'}  = 'https://<servernameredacted>/mellon/login?ReturnTo=/znuny/customer.pl';
    #$Self->{'CustomerPanelLogoutURL'} = 'https://<servernameredacted>/mellon/logout?ReturnTo=http://<servernameredacted>';
    $Self->{'AuthModule'}             = 'Kernel::System::Auth::HTTPBasicAuth';
    $Self->{'LoginURL'}               = 'https://<servernameredacted>/mellon/login?ReturnTo=/znuny/index.pl';
    $Self->{'LogoutURL'}              = 'https://<servernameredacted>/mellon/logout?ReturnTo=http://<servernameredacted>';

[root]

Thanks.

Ok, here it is. Here is a configuration we use in production:

Code: Select all

<Location />
    MellonEnable info
    MellonEndpointPath /mellon/
    MellonSPMetadataFile /etc/httpd/SP.xml
    MellonSPPrivateKeyFile /etc/httpd/SP.key
    MellonSPCertFile /etc/httpd/SP.cert
    MellonIdPMetadataFile /etc/httpd/idp-metadata.xml
    ErrorDocument 404 /znuny/customer.pl
</Location>
# This is a location that will trigger authentication when requested.
<LocationMatch /znuny/(index|customer).pl>
    AuthType Mellon
    MellonEnable auth
    Require valid-user
</LocationMatch>

This should replace the first part of your configuration.

- Roy

[KevP]

Didn't spot the mellon config in /etc/apache2/conf-enabled/zzz_znuny.conf also, removed that.

Works perfectly now, thanks!

[KevP]

For future visitors:

Code: Select all

cat /etc/apache2/conf-enabled/auth_mellon.conf
<location />
    MellonSPPrivateKeyFile /etc/apache2/mellon/mellon.key
    MellonSPCertFile /etc/apache2/mellon/mellon.cert
    MellonSPMetadataFile /etc/apache2/mellon/mellon_metadata.xml
    MellonIdPMetadataFile /etc/apache2/mellon/AzureAD_metadata.xml
    MellonEndpointPath /mellon
    MellonEnable "info"
</Location>

# This is a location that will trigger authentication when requested.
<LocationMatch /znuny/index.pl>
    AuthType Mellon
    MellonEnable auth
    Require valid-user

    MellonDecoder "none"
    MellonVariable "cookie"
    MellonSecureCookie On
    MellonUser "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
</LocationMatch>

[root]

Hi,

Just wanted to note that the MellonUser depends on your IdP and the choosen NameIDFormat. And not everyone is using Azure.

- Roy

[aykj3757]

Hello ,
I trying to setup the application to authenticate using Azure AD SAMl2 for Agent only , but after auth i'm getting a Bad request browser sent a request that this server could not understand .
and the ss_error file is showing
[auth_mellon:error] [pid 25547:tid 25686] [client x.x.x.x:59896] Missing required ReturnTo parameter.,

I'm not sure , but seems to be an issue with the MellonSPMetadatafile.

Anyone can share how the MellonSPMetadafile should be coinfigured while using Microsoft Entra ID as IDP
I ll be insteresteed too required changed into file HTTPBasciAuth.pm

Thanks and regards

[KevP]

Have you set up the /opt/otrs/Kernel/Config.pm file like I did above, with the ReturnTo URL parameters?

[root]

Hi,

The auth_mellong error comes from the mod_auth_mellon. There is something wrong with your configuration or metadata.
There is no configuration required for mod_auth_mellon in the Kernel/Config.m, except if you want to use the unmaintained otrs-saml2sp module mentioned in the initial post.

- Roy

[aykj3757]

Thank you for you response. But how user credential are sent to index.pl then ? Env variables are set somewhere ?

[root]

Thank you for you response. But how user credential are sent to index.pl then ? Env variables are set somewhere ?

Hi,

The username is presented via REMOTE_USER environment variable, therefore you have to use AuthModule HTTPBasicAuth

- Roy