RT Request Tracker SSO

[Sfrangebob Dr Zeta]

Hi,
I'm going to integrate RT v3.8.4 (https://www.bestpractical.com/rt/) with simplesamlphp.
Has anybody tried this before?
I have found an ExternalAuth library but it seems limited to a cookie authentication..
If I'm right, the user has to authenticate in my other app and then I route him to RT app and it will be automatically authenticated by cookies.
Any Idea?
Thanks
Regards

[Peter Schober]

* Sfrangebob Dr Zeta <zkm...@gmail.com> [2015-01-26 16:01]:

> I'm going to integrate RT v3.8.4 (https://www.bestpractical.com/rt/) with
> simplesamlphp.

RT is written in Perl, SimpleSAMLphp in PHP. So you can't do that
using just SSP's SP API.

The SimpleSAMLphp answer is to use mod_authmemcookie
https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures#section_5
together with SSP.

Alternatives are using a different SAML implementation altogether that
works on the level of the web server alone, such as the Shibboleth SP
http://shibboleth.net/products/service-provider.html or
mod_auth_mellon https://github.com/UNINETT/mod_auth_mellon
-peter

[Clément OUDOT]

Indeed, seems possible to use mod_auth_mellon with
https://www.bestpractical.com/docs/rt/4.2/authentication.html#WebRemoteUserAuth


Else, you can also give a try to http://lemonldap-ng.org/welcome/
which can act as SAML SP. It is written in Perl.


Clément.

[Matthew Slowe]

On Mon, Jan 26, 2015 at 04:25:47PM +0100, Peter Schober wrote:
> mod_auth_mellon https://github.com/UNINETT/mod_auth_mellon

+1 for mod_auth_mellon ... it's a complete SAML2 SP implementation in an
Apache module and is marvellous (and a lot more useful, for me at least,
than mod_authmemcookie).

--
Matthew Slowe | Server Infrastructure Officer
IT Infrastructure, Information Services, University of Kent
Room S21, Cornwallis South
Canterbury, Kent, CT2 7NZ, UK
Tel: +44 (0)1227 824265

www.kent.ac.uk/is | @UnikentUnseenIT | @UKCLibraryIt

[Dick Visser]

On Mon, Jan 26, 2015 at 4:30 PM, Clément OUDOT <clem....@gmail.com> wrote:
> 2015-01-26 16:25 GMT+01:00 Peter Schober <peter....@univie.ac.at>:
>> * Sfrangebob Dr Zeta <zkm...@gmail.com> [2015-01-26 16:01]:
>>> I'm going to integrate RT v3.8.4 (https://www.bestpractical.com/rt/) with
>>> simplesamlphp.
>>
>> RT is written in Perl, SimpleSAMLphp in PHP. So you can't do that
>> using just SSP's SP API.
>>
>> The SimpleSAMLphp answer is to use mod_authmemcookie
>> https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures#section_5
>> together with SSP.
>>
>> Alternatives are using a different SAML implementation altogether that
>> works on the level of the web server alone, such as the Shibboleth SP
>> http://shibboleth.net/products/service-provider.html or
>> mod_auth_mellon https://github.com/UNINETT/mod_auth_mellon
>
>
> Indeed, seems possible to use mod_auth_mellon with
> https://www.bestpractical.com/docs/rt/4.2/authentication.html#WebRemoteUserAuth

+1 for this.
Also, from that page I see that when you go down the REMOTE_USER
route, it is actually possible to auto provision users as well:


$WebRemoteUserAutocreate
* Enables or disables auto-creation of RT users when a new REMOTE_USER
is encountered.

Which is a nice bonus if you want federated authentication for an
issue tracking system.
I remember that OTRS for instance did support REMOTE_USER, but without
auto provisioning it was not very usable (other than manually
provisioning all users prior to logging in).





--
Dick Visser
Sr. System & Networking Engineer
GÉANT Association, Amsterdam Office (formerly TERENA)
Singel 468D, 1017 AW Amsterdam, the Netherlands
Tel: +31 (0) 20 530 4488

GÉANT Association
Networking. Services. People.

Learn more at: http://www.géant.org