Login to Otrs from existing corporate website

[hmmmm3]

I have been search for a way to log into the OTRS agent or customer portal via a form page on my existing web page.

I know I can use an url string like this:
otrs/index.pl?Action=Login&User=<user>&Password=<pass>

But I wanted something a little more secure. Is this possible through the generic interface in 3.1? If so, how?

thanks for the help.

[crythias]

The key is to query your existing authentication in such a way that it returns valid if logged in.

Check out Kernel/System/Auth/*

There's a lot to observe, but take a cursory look of HTTPBasicAuth.pm

basically, everything you want to keep is up to and including the entirety of sub new {}, sub GetOption {}
but change the Package Name to reflect your method.
GetOption's major difference is regarding whether to do a PreAuth => 0 or PreAuth = 1 (compare DB.pm to HTTPBasic.pm). DB.pm says '0' and HTTPBasicAuth.pm says '1'. That seems to make sense to me, if it means, 'are they already authorized in the thing I'm checking against?'

Next, the main code:

sub Auth {}

You'll need to be certain you have the method to verify against the other scheme (username/password or username/cookie?) and call the api of that auth method (or emulate the method in your own code), then return pass/fail.

It's a start, but it should help.

[hmmmm3]

Thanks for the reply. But I am confused. Will this approach allow me to log in and have a normal session, or will I have to use api commands to interact with OTRS?

I just want a way to log in without having to recreate the form or without having to send customers to the customer.pl page.

[crythias]

Will this approach allow me to log in and have a normal session, or will I have to use api commands to interact with OTRS?

I have been search for a way to log into the OTRS agent or customer portal via a form page on my existing web page.

That is all my response was intended to answer. Authentication.

I just want a way to log in without having to recreate the form or without having to send customers to the customer.pl page.

There are two parts to your statement:
1) Login without having to recreate the form.
In general, yes, because if you can figure out something about the requesting customer from what the customer provides or you have a reasonable expectation that they'd have in a cookie, for instance, that is sufficient.

I know I can use an url string like this:
otrs/index.pl?Action=Login&User=<user>&Password=<pass>

But I wanted something a little more secure. Is this possible through the generic interface in 3.1? If so, how?

Don't send Password. Send a salted md5 hash, for instance.

2) without having to send customers to customer.pl page
You're going to have to, because that's OTRS's customer interface. They just won't have to log in.

[hmmmm3]

I apologize for taking a while to write back. But I think finally understood your response, partially because I was recently working with the salt MD5 stuff.

So you think if I do the following:

1.) pass in my username and an encrytped password
2.) modify the authentication routine plus modify the code for being able to handle an encrytped parameter

Then, I should be able to create a session automatically when the user goes to that page?
Theoretically , this should also work in version 3.0 as well and I really don't need any of the generic interface stuff, correct?

[hmmmm3]

Another question.

How do I tell the system to use the httpBasicAuth.pm rather than the DB.pm method?

[crythias]

Another question.

How do I tell the system to use the httpBasicAuth.pm rather than the DB.pm method?

modify config.pm This is documented in the docs (search for additional backends).

I believe (though I haven't tested) that httpBasicAuth (relying on Apache to do the authentication), more or less, assumes that the website can receive the username from an environment variable, which theoretically can only be provided by a previously authenticated user. "Hey, I'm username." Apache: "Um. ok, sounds good." OTRS (HTTPBasicAuth): "Apache says you're username. do I have a customer username? cool. you're in."

[hmmmm3]

Okay....let me take a step back and give you the big picture.

I have a customer who logs into a Joomla website using the right credentials and I want that customer to be able to access their OTRS account. I know there is an existing Joomla/OTRS extension but it limits what you can do. I have been able to modify the OTRS encryption and the Joomla encryption to match, so essentially the passwords are in sync. Joomla has some kool extensions that will also allow me to modify the agents profile info directly from Joomla...and I like that too!

So, Im thinking of using the httpAuth approach to allow the user to log in...but it seems kind of risky! What allows somebody from just putting in a username and getting access?

Is there a better approach I should consider?

[crythias]

What allows somebody from just putting in a username and getting access?

Is there a better approach I should consider?

First part: if you're using HTTPBasicAuth and Apache doesn't believe you, you don't get anywhere. You won't be using the otrs panel to verify login.

Second part: one option I'd consider is -- especially if [third party authentication] is centralized authentication source -- observe the code for httpbasicauth as an external authentication source as well as db auth for internal... hold on, I'm getting there...

The key is: Joomla *is* the external authentication source. What you need is to be able to do is use Joomla's authentication API to confirm that Joomla username is authenticated, therefore OTRS will accept the fact that the username is authenticated externally and parse the username with known users.

This isn't the same (necessarily) as creating a joomla authentication plugin. If you were to do that, then Joomla would accept OTRS as the external authentication of record. http://docs.joomla.org/Accessing_the_cu ... ser_object might help a bit. If you can get OTRS to query that the current user isn't $user->guest, it should therefore accept the current joomla username.

I believe that's as best as I can provide for now. I'm not a Joomla expert, and what I've provided is based upon a quick Google search.

[hmmmm3]

i appreciate the comments.

if I understand you correctly, you are essentially saying that if the user can log into their Joomla account( internal authentication) then OTRS(external authentication through httpauthentication) can assume that they must be okay, as long as their username is verified through the environment var.

I'm not trying to create a Joomla plugin that will verify the OTRS login. I think that is too much.

I appreciate your help.

[crythias]

you are essentially saying that if the user can log into their Joomla account( internal authentication) then OTRS(external authentication through httpauthentication) can assume that they must be okay, as long as their username is verified through the environment var.

No, I am saying this:
Create a new otrs authentication method based upon (a copy of) httpbasicauth (because it tells you how to query an external source for authentication) and use this method in place of httpbasicauth to query authentication for CustomerAuth:
example:
$Selft->{Customer::Auth1}: Kernel::System::Auth::Joomla

The essential login structure will be the following:
Joomla will have a link to otrs/customer.pl with the username as a parameter (as you've previously demonstrated).
OTRS will use CustomerAuth method(s) to attempt authentication. One of those methods will be your new Joomla Authentication method.
The method will query Joomla to determine if the current user is logged in.
On the one hand, this should be enough, on another, you may need to do additional verification because knowing that the current customer username is logged in doesn't on its own verify that the OTRS logon is coming from the same source as the Joomla logon.

Summary: it can be possible to craft a URI that connects to OTRS as a currently logged in-to-Joomla customer that isn't the user logged into Joomla on this workstation. Or, more explicitly: if john is logged into Joomla, and Tom tries to connect to OTRS as John, Tom might be successful, if this isn't checked. (perils of external authentication).

[crythias]

http://www.cognidox.com/opensource/otrs-joomla-gateway

[hmmmm3]

thanks. I am still working through this but I am figuring this out. Because all of my sites are running on the same server, I decided to do my authentication using temporary variables passed in the database, and passing the encrypted password with encrypted values randomly inserted into it...I know...its probably not clear. I thought the Cognidox stuff was too complicated and openId was overkill when working on the same sever.

As far as making the OTRS and Joomla site integrate, I ultimately used several Joomla plugins and posts. The first post I used was http://lists.otrs.org/pipermail/otrs/20 ... 32895.html He gave pretty good instructions on how to modify the OTRS password structure to match Joomla.

1.) Community Builder - Auto Actions - I used this to sync the users between the Joomla and OTRS database. So when a Joomla user modifies their password or profile, it also modifies the OTRS database
2.) Jumi - I used this to create the Single login code in php to verify and authenticate joomla users when they try to log into OTRS using a their existing session. I had to modify the Db.pm file to accommodate my changes. But I think I have a secure way for them to log into OTRS without having to re-enter their credentials.
2.) Art Table (artetics.com) - I used this to display sql results from the OTRS database. It essentially gives the logged-in user a way to view open tickets in Joomla. . My joomla system is focused on agents, while maintaning the customer.pl interface for customers.

This is still a work in progress and i am using 3.0 and Joomla 2.5

Anyway, thanks for your help.