SSO OK, but not possible to automagically create customers

[dnmvisser]

Hi

I managed to get OTRS working with mod_auth_mellon, the authentication module for apache.
This module authenticates a user against a SAML2 IdP and populates environment vars like REMOTE_USER.
At first I had some troubles because I wasn't aware that OTRS has two distinct user groups, namely agents and customers.
To bootstrap things, I created a bunch of agent and customer accounts in default mode (ie. using the database, as root@localhost).
Then I configured OTRS like this:

Code: Select all

        $Self->{'Customer::AuthModule'}   = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
        $Self->{'CustomerPanelLoginURL'}  = 'https://bartali.terena.org/mellon/login?ReturnTo=/customer.pl';
        $Self->{'CustomerPanelLogoutURL'} = 'https://bartali.terena.org/mellon/logout?ReturnTo=http://www.terena.org';

        $Self->{'AuthModule'}             = 'Kernel::System::Auth::HTTPBasicAuth';
        $Self->{'LoginURL'}               = 'https://bartali.terena.org/mellon/login?ReturnTo=/index.pl';
        $Self->{'LogoutURL'}              = 'https://bartali.terena.org/mellon/logout?ReturnTo=http://www.terena.org';

This seems to work. https://bartali.terena.org/customer.pl can be accessed by customers, and https://bartali.terena.org/index.pl by agents.
I found out that the same users can access both, provided that they have agent and customer accounts.

The problem now is that if users authenticate OK in the apache module (either to the agent or customer interface), and there is no account yet in OTRS, they get redirected to the authentication again.

Is there a way to automagically create a user account?
The value of REMOTE_USER should be used as the username. There are other apache env vars available for firstname, lastname, email, etc.

Many thanks!!

[crythias]

You will need both an authentication provider and a demographic provider.

The authentication provider you have.
The demographic provider won't be generated from authentication. You will need a source of data that has some link to the credentials provided.

Authentication: "Are you allowed to be here/do you have valid credentials?"
Demographics: "Who are you? What do I know about you?"

How to fix?
Connect to a customer backend that has this information.

[dnmvisser]

How to fix?
Connect to a customer backend that has this information.

Thanks!
Not sure yet what a 'demographic provider' is, but I'll search and look it up.
Just to get things going, would it be possible to implement this in a static way?

THanks

[crythias]

Just to get things going, would it be possible to implement this in a static way?

customers in the customer database can be authenticated by something else.

[dnmvisser]

You will need both an authentication provider and a demographic provider.

The authentication provider you have.
The demographic provider won't be generated from authentication. You will need a source of data that has some link to the credentials provided.

The source of data does not exist before a user logs in.
In other words, there is no external user database.
When a user logs in, the following information becomes available: username, firstname, lastname, email.
There are a number of other things that can be set statically.

Authentication: "Are you allowed to be here/do you have valid credentials?"
Demographics: "Who are you? What do I know about you?"

How to fix?
Connect to a customer backend that has this information.

The docs only list backends that do a lookup of information based on the username (DB, LDAP).
I need something simpler: a backend that uses ENV variables straight away.
Would I need to write my own backend for this?

Thanks!

[dnmvisser]

I created HTTPBasicAuthMellon.
This is a modifief version of HTTPBasicAuth but with a call to CustomerUserAdd() at the end.
This takes care of add the user just after authentication:

Code: Select all

    # 2014-08-22 visser@terena.org
    # Automagically create a new customer (auto-provisiong).
    # CustomerUserAdd() gracefully handles attempt to create already existing customer.
    #TODO Explicitly check if user exists first.

    my $newuser = $Self->{CustomerUserObject}->CustomerUserAdd(
        Source         => 'CustomerUser',
        UserFirstname  => $FirstName,
        UserLastname   => $LastName,
        UserCustomerID => 'default_customer',
        UserLogin      => $User,
        UserPassword   => $Self->{CustomerUserObject}->GenerateRandomPassword(),
        UserEmail      => $Mail,
        ValidID        => 1,
        UserID         => 1,
    );

The values of firstname/lastname/email are taken from $ENV.

I need to test with a little bit, but so far this seems to work OK.

Thanks

[dnmvisser]

For the archives: I documented all the steps to get OTRS to work with mod_auth_mellon:

https://wiki.terena.org/display/~federa ... uth_mellon

[crythias]

Please kindly submit this as a HowTo on this forum. HowTos are moderated, but it should be approved quickly.