[rt-users] RT and SSO with SAML

Ruslan Zakirov ruz at bestpractical.com
Tue Jun 18 08:58:02 EDT 2013 

On Tue, Jun 18, 2013 at 4:38 PM, L B <bertignac at gmail.com> wrote:

> Hi,
>
> The goal here is to have SSO on RT between a local user directory (AD) and
> an RT instance installed in the amazon cloud.
>
> I've setup mod_mellon ( https://code.google.com/p/modmellon/ ) with RT as
> a relying party on AWS  and it works well, I'm able to log in with SSO (IdP
> used on premise is ADFS).
>
> I just had to configure RT with:
> Set($WebExternalAuth , 1);
> Set($WebFallbackToInternalAuth , 1);
> Set($WebExternalAuto , 1);
>
> so it uses the REMOTE_USER variable to login.
>
> I have three problems now:
> - populating users info:
>  I think I can get some environment variables out of the SAML token with
> mod_mellon configuration like this:
>
>  MellonSetEnv "e-mail" "mail"
>
>  But then I don't know how to populate this into RT.
>

Solution:
1) With code. Grep for REMOTE_USER in RT source code and you'll find places
where you can inject code to extract information mellon puts into ENV and
put it into RT's tables. As far I recall remote user variable handled in
one or two places.

2) No coding - use ExternalAuth module to extract info. It can work this
way - info extraction only mode without auth. Info is updated on login into
UI.

3) No coding - use LDAPImport to bring in users' data. Info is updated as
often as you run the script.


> - logout waits 1 second (default), and go back to login page, so I'm
> authenticated again. I think I need to change the logout link in the code?
>

Yes. Very specific to setup, so there is no direct solution that works for
everybody.


> - SSO is always used and I'd like a way to do a local login (with root for
> example which is not in our user directory). I'm not sure how to do this
> yet.
>

Host second RT as a virtual host on different URL without SSO. Only people
with passwords in RT's database would be able to use this interface.


>
> Has anyone played with this and went further than I did?
>
> Thanks,
> --
> L.B.
>
>
>
> --
> RT Training in Seattle, June 19-20: http://bestpractical.com/training
>



-- 
Best regards, Ruslan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130618/a4a12011/attachment.htm>

More information about the rt-users mailing list