WORK IN PROGRESS
Below is the recipe for getting OTRS to work with federated authentication.
I used Ubuntu 14.04, OTRS 3.3.8 and mod_auth_mellon 0.7.
OTRS has two different web interfaces:
- The customer interface. This is for people who submit tickets
- The agent interface. This is for people working on tickets ('admins' if you will)
The goal is to have both interfaces use federated authentication. This is already possible with the default OTRS.
However, because of the federated authentication, it is not possible to provision accounts for customers in OTRS before they have logged in. This is because there is no way to know a user's details. So we want the accounts to be auto-provisioned. This is not possible with the default OTRS, so I created a patch that adds two custom authentication methods, which are based on the bundled HTTPBasicAuth.pm method.
Prerequisites
Before you start, make sure you have these bits in place:
- A correctly configured Apache web server that is able to serve an HTTPS web site (https://otrs.example.com).
- A SAML Identity Provider (IdP).
- An account on that IdP.
- An attribute that can be used as username in OTRS (for example eduPersonPrincipalName). Attributes for first name, last name, and e-mail are optional but highly recommended as the service would be pretty useless without these. In this case we assume that 'givenName', 'sn', and 'mail' can be used.
- The user name of the to-be administrator account. So, if you choose eduPersonPrincipalName as the attribute for username, you need to know your own value (for instance 'dvisser@surfnet.nl').
OTRS
Go to https://www.otrs.com/try/, scroll to Source, and pick the latest version of OTRS Help Desk.
Follow the instructions at http://otrs.github.io/doc/manual/admin/stable/en/html/index.html, do a standard install and make sure everything works.
The docs all seem to assume that you'd want to run OTRS inside a subdirectory (https://example.com/otrs), but we want it to be the root of our vhost (https://otrs.example.com), in which case this configuration is a little bit different, see below:
ServerName bartali.terena.org Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/" Alias / "/opt/otrs/bin/cgi-bin/" <IfModule mod_perl.c> # Setup environment and preload modules Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl # Reload Perl modules when changed on disk PerlModule Apache2::Reload PerlInitHandler Apache2::Reload # mod_perl2 options for GenericInterface <Location /nph-genericinterface.pl> PerlOptions -ParseHeaders </Location> </IfModule> <Directory "/opt/otrs/bin/cgi-bin/"> AllowOverride None DirectoryIndex customer.pl AddHandler perl-script .pl .cgi PerlResponseHandler ModPerl::Registry Options +ExecCGI PerlOptions +ParseHeaders PerlOptions +SetupEnv # mod_auth_mellon MellonEnable "info" MellonSecureCookie On MellonSessionDump Off MellonSamlResponseDump Off MellonEndpointPath "/mellon" MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key MellonSPCertFile /etc/apache2/mellon/sp.crt MellonIdPMetadataFile /etc/apache2/mellon/idp.xml # To avoid security holes, first unset any existing header RequestHeader unset eduPersonPrincipalName # Then conditionally set it RequestHeader set eduPersonPrincipalName "%{MELLON_eduPersonPrincipalName}e" env=MELLON_eduPersonPrincipalName <IfModule mod_version.c> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> </IfModule> <IfModule !mod_version.c> Order allow,deny Allow from all </IfModule> <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json </IfModule> </Directory> <Directory "/opt/otrs/var/httpd/htdocs/"> AllowOverride None <IfModule mod_version.c> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> </IfModule> <IfModule !mod_version.c> Order allow,deny Allow from all </IfModule> <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json </IfModule> # Make sure CSS and JS files are read as UTF8 by the browsers. AddCharset UTF-8 .css AddCharset UTF-8 .js # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it. AddType application/font-woff .woff </Directory> <IfModule mod_headers.c> # Cache css-cache for 30 days <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache"> <FilesMatch "\.(css|CSS)$"> Header set Cache-Control "max-age=2592000 must-revalidate" </FilesMatch> </Directory> # Cache css thirdparty for 4 hours, including icon fonts <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty"> <FilesMatch "\.(css|CSS|woff|svg)$"> Header set Cache-Control "max-age=14400 must-revalidate" </FilesMatch> </Directory> # Cache js-cache for 30 days <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache"> <FilesMatch "\.(js|JS)$"> Header set Cache-Control "max-age=2592000 must-revalidate" </FilesMatch> </Directory> # Cache js thirdparty for 4 hours <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/"> <FilesMatch "\.(js|JS)$"> Header set Cache-Control "max-age=14400 must-revalidate" </FilesMatch> </Directory> </IfModule>
The site is now configured so that the bare URL will go to the customer interface. This makes the most sense because typically customers will have less clue about where to go.
The agent interface is where you should log in to with the default root@localhost account.
mod_auth_mellon
mod_auth_mellon is an Apache module. To get this working I recompiled the Debian source packages from the University of Tilburg for Ubuntu 12.04 and made them available in our own APT repository. Ubuntu 14.04 and later have the module available as well.
apt-get install libapache2-mod-auth-mellon a2enmod auth_mellon
Create a directory /etc/apache/mellon, and store the Identity Provider metadata in XML format to a file called idp.xml.
Create the cryptographic material for the mellon SP:
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout sp.key -out sp.crt
Now add this to the configuration of the vhost (note that this is not the entire config - you should have the HTTPS stuff already configured, probably in /etc/apache2/mods-enabled/ssl.conf).
This is a slightly adapted version of the default config so that OTRS runs from the root and not from a subdirectory:
As you can see, the attribute eduPersonPrincipalName is being used as the username. This is the attribute that should always be send by the IdP.
By this time, you should be able to download the Service Provider metadata from https://example.com/mellon/metadata, and use it to add it to your IdP, thereby creating a trust relationship.
Confluence - part 2
Now everything is in place to federate Confluence. Make sure that Confluence isn't running any more.
- Download the right version of remoteUserAuth.jar (I used 2.5.0) from https://github.com/chauth/confluence_http_authenticator/tree/master/releases, and store it in
confluence/WEB-INF/lib.
Make sure you're actually downloading the JAR file and not the HTML page. - Download https://github.com/chauth/confluence_http_authenticator/blob/master/conf/remoteUserAuthenticator.properties and save it as
confluence/WEB-INF/classes/remoteUserAuthenticator.properties
. The defaults were almost OK, the only thing I needed to change was convert.to.utf8=true. Edit
confluence/WEB-INF/classes/seraph-config.xml
and change this section in the beginning:<init-param> <param-name>login.url</param-name> <param-value>/login.action?os_destination=${originalurl}</param-value> </init-param> <init-param> <param-name>link.login.url</param-name> <param-value>/login.action</param-value> </init-param>
To this:
<init-param> <param-name>login.url</param-name> <param-value>/mellon/login?ReturnTo=${originalurl}</param-value> </init-param> <init-param> <param-name>link.login.url</param-name> <param-value>/mellon/login?ReturnTo=%2Fdashboard.action</param-value> </init-param>
You should now be able to use federated logins.
Confluence - mobile theme
The new Confluence feature a dedicated theme for use on mobile devices. This is great, but unfortunately both the login and logout buttons in that theme do not work - they still point to the 'old' static login/logout links.
Login button
I couldn't find any way to do this in Confluence, so I ended up rewriting it in Apache. See the snippet in the Apache config above.
Logout button
apt-get --no-install-recommends install openjdk-7-jdk
Then do:
mkdir /tmp/jar
cd /tmp/jar
jar xf /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar
xwork.xml
and change this part:
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction"> <interceptor-ref name="defaultStack"/> <result name="error" type="velocity">/logout.vm</result> <result name="success" type="redirect">/login.action?logout=true</result> </action>
to this:
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction"> <interceptor-ref name="defaultStack"/> <result name="error" type="velocity">/logout.vm</result> <result name="success" type="redirect">/mellon/logout?ReturnTo=%2Fdashboard.action</result> </action>
Now "jar" everything up again and replace the original jar:
cd /tmp/jar jar cf /opt/confluence/confluence/WEB-INF/lib/confluence-5.5.3.jar .
Restart Confluence. You should now also be able to use federated logins on your iPad/etc.
jsessionid errors
If unauthenticated users try to access content that is protected, Confluence tries to set jsessionid as part of the URL. This leads to 404 errors like this:
NOT FOUND The requested URL /mellon/login;jsessionid=8A736F43779F96249F6C3DC41067BB98 was not found on this server.
Since the jsessionid part isn't needed, it can be removed uses a rewrite statement (see apache config above).
Limit access to the unprotected TCP port
Confluence by default listens to TCP port 8090 on all interface. Since Apache will be the internet facing application, there is no need for Confluence to listen on all interfaces. Even worse, if you do let it listen on the internet then it is trivial to add a REMOTE_USER header and spoof any account. Of course it is good practice to use a firewall to protect this port, but you can limit this in Confluence as well. Since Apache is configured to only connect to the (IPv6) localhost address, this is what you should configure Confluence to use as listening address. As per Tomcat docs, you should add an "address" attribute to the Connector, which is located in conf/server.xml
:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8090" address="::1" minProcessors="5"