Bug #88148 for RT-Authen-ExternalAuth: RT::Authen::ExternalAuth SSO config.. tips please..

Mon Aug 26 13:41:17 2013 msullivan [...] proofpoint.com - Ticket created

Subject:	RT::Authen::ExternalAuth SSO config.. tips please..
Date:	Mon, 26 Aug 2013 17:41:02 +0000
To:	"bug-RT-Authen-ExternalAuth [...] rt.cpan.org" <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	Michelle Sullivan <msullivan [...] proofpoint.com>

Hi, I'm moving from RT3.6 -> RT4.0.17 and have decided to try going with RT::Authen::ExternalAuth instead of an OverRide I wrote previously. My system sets a cookie for all visitors, which is just a session ID (no other information in the cookie - for security .. this is then linked to the actual user information using Apache::Session to do the dirty work) Inside the cookie retrieved information there is the Username, Email addresses (multiple possible), Real Name, RT ID (single at the moment, but will be multiple in the near future) and a load of other information (address etc.) Currently when someone logs in to the main site and updates their preferences it updates the preferences in the RT user database. Inside the retrieved information there is an 'auth' parameter which contains the current state of the login and it's timeout. My thoughts is for any un-authenticated user to be re-directed to my main login page, get the new authenticated cookie, and be re-directed back to the RT system. The RT system will then load the user information from the DB retrieved by the cookie ID.. and allow access in that method. Is this possible with RT::Authen::ExternalAuth ? If so is it possible for it to update the timeout as necessary (so the login doesn't idle out)? If all of the above... any Docs/Examples on it? (I have modules that can do this as well - but need to know what calls what and what is expected in the return) Glancing at the code, it suggests that it is not possible without extensive work... can anyone confirm or deny? Thanks, -- Michelle Sullivan http://www.mhix.org/

Mon Aug 26 13:45:39 2013 msullivan [...] proofpoint.com - Correspondence added

Subject:	Re: [rt.cpan.org #88148] AutoReply: RT::Authen::ExternalAuth SSO config.. tips please..
Date:	Mon, 26 Aug 2013 17:45:25 +0000
To:	"bug-RT-Authen-ExternalAuth [...] rt.cpan.org" <bug-RT-Authen-ExternalAuth [...] rt.cpan.org>
From:	Michelle Sullivan <msullivan [...] proofpoint.com>

Whoops, sorry I didn't mean to create a bug reportŠ wrong email address. Regards, Michelle

Thu Apr 02 10:56:44 2015 ELACOUR [...] cpan.org - Correspondence added

This bug should be renamed to "Compatibility with WebExternalAuth/WebFallbackToInternalAuth". I faced the same problem here with an auth using REMOTE_USER that should allow to fallback to this plugin if no REMOTE_USER is given. This plugin doesn't handle REMOTE_USER at all, here is the slightly different patch I use: diff --git a/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm b/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm index b8950b4..32a5200 100644 --- a/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm +++ b/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm @@ -431,7 +431,9 @@ sub DoAuth { ############################################################# ####################### SSO Check ########################### ############################################################# - if ($config->{'type'} eq 'cookie') { + if ( RT->Config->Get('WebExternalAuth') && $ENV{REMOTE_USER} ) { + $username = $ENV{REMOTE_USER}; + } elsif ($config->{'type'} eq 'cookie') { # Currently, Cookie authentication is our only SSO method $username = RT::Authen::ExternalAuth::DBI::GetCookieAuth($config);

Thu Apr 02 10:56:45 2015 The RT System itself - Status changed from 'new' to 'open'