Ansicht von 0 Antwort-Themen
  • Autor
    Beiträge
    • 27. März 2025 um 14:20 Uhr - Views: 2 #34622
      P R
      Teilnehmer

        Version: Otobo 11.0.7 auf Ubuntu 22.04

        Ich habe SSO über OpenIDConnect eingerichtet, was auch gut funktioniert. Leider kommt über OpenIDConnect nur der Vorname, Nachname und E-Mail-Adresse, mit denen der Account der Agenten erstellt wird.

        # AgentSSO
        # This is an example configuration for authorization via OpenIDConnect
        # see https://openid.net/specs/openid-connect-core-1_0.html
        $Self->{AuthModule} = 'Kernel::System::Auth::OpenIDConnect';
        # Define the authentication flow, currently supported are the authorization code flow...
        $Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = [ 'code' ];
        # ...and the implicit flow (choose one - currently no hybrid flow is implemented)
        # $Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = [ 'id_token' ];
        # Define the additional scope (openid is added automatically and does not need to be
        # defined here). Make sure to add everything you want to interpret later.
        $Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [
        qw/profile email/
        ];
        # Set the ClientID and Redirect URI exactly as defined on the authorization server
        # for the latter the Action must be "Login"
        $Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
        ClientID => 'xxx',
        RedirectURI => 'https://servicedesk.xxx.de/otobo/index.pl?Action=Login',
        };
        # For the authorization code flow the client secret has to be provided
        $Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings}{ClientSecret} = 'xxx';
        # Provide the URL of the well-known openid-configuration of the OpenID provider
        $Self->{'AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
        OpenIDConfiguration => 'https://login.microsoftonline.com/xxx/v2.0/.well-known/openid-configuration',
        # TTL => 60 * 30, # optional: time period the extracted openid-configuration is cached
        # Name => 'Intern4', # optional: necessary only if one needs to differentiate between User and CustomerUser configuration e.g.
        # SSLOptions => { # if special ssl options are needed; SSLVerifyHostname => 0 is also possible but should only be used for testing purposes
        # SSLCertificate => 'SSL_cert_file', # client certificate
        # SSLKey => 'SSL_key_file', # client cert key
        # SSLPassword => 'SSL_passwd_cb', # password for client cert key
        # SSLCAFile => 'SSL_ca_file', # CA certificate
        # SSLCADir => 'SSL_ca_path', # CA cert directory
        # },
        };
        # Set the token claim to be used as identifier
        $Self->{'AuthModule::OpenIDConnect::UID'} = 'email';
        # Some optional additional settings
        $Self->{'AuthModule::OpenIDConnect::Config'}{Misc} = {
        UseNonce => 1, # add a nonce to request and token (this is primarily important for the implicit flow where it is enabled by default)
        RandLength => 22, # length for state and nonce random strings - default: 22
        RandTTL => 60 * 5, # valid time period for state and nonce (roughly the time a user can take to authenticate) - default: 300 s
        Leeway => 2, # leeway for small time differences between the OTOBO server and the OpenID provier - default: 2 s
        };
        # Optionally enable user authorization via the id token - hashes can be used for complex claims
        $Self->{'AuthModule::OpenIDConnect::RoleMap'} = {
        roles => {
        Administrator => 'Administrator',
        Agent => 'Agent',
        ConWinAgent => 'ConWin-Agent',
        # TokenRole2 => 'OTOBORole2',
        },
        # TokenAttribute2 => {
        # abc123 => {
        # TokenRole1 => 'OTOBORole1',
        # TokenRole3 => 'OTOBORole3',
        # }
        # },
        };
        # Optionally enable user creation - this currently does not support complex claims; email is mandatory
        $Self->{'AuthModule::OpenIDConnect::UserMap'} = {
        email => 'UserEmail',
        given_name => 'UserFirstname',
        family_name => 'UserLastname',
        };
        # For debugging purposes and to help with building the RoleMap e.g. you can dump all IDTokens received to the log
        # $Self->{'AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;

         

        Ich würde diese Informationen jetzt gerne mit weiteren Feldern (z.B. Telefonnummer) über LDAP anreichern. Leider bekomme ich es nicht zum Laufen und mangels Fehlern in otobo.log („MinimumLogLevel“ steht bereits auf „Debug“) fehlt mir auch ein Ansatz. LDAP funktioniert grundsätzlich, da es auch als Kunden Backend verwendet wird.

        # --------------------------------------------------- #
        # authentication sync settings #
        # (enable agent data sync. after succsessful #
        # authentication) #
        # --------------------------------------------------- #
        # This is an example configuration for an LDAP auth sync. backend.
        # (take care that Net::LDAP is installed!)
        $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
        $Self->{'AuthSyncModule::LDAP::Host'} = 'xxx';
        $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=Accounts,ou=Tier10,ou=Accounts,ou=xxx,dc=xxx,dc=de';
        $Self->{'AuthSyncModule::LDAP::UID'} = 'mail';
        # $Self->{'AuthSyncModule::LDAP::GroupDN'} = 'cn=otoboallow,ou=posixGroups,dc=example,dc=com';

        # The following is valid but would only be necessary if the
        # anonymous user do NOT have permission to read from the LDAP tree
        $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=T01-FKT-OTBO-P1-001,ou=FKT,ou=OTBO,ou=TechnicalAccounts,ou=Tier01,ou=Accounts,ou=xxx,dc=xxx,dc=de';
        $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxx';

        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        # or if you want to filter with a logical OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
        # $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

        # AuthSyncModule::LDAP::UserSyncMap
        # (map if agent should create/synced from LDAP to DB after successful login)
        # you may specify LDAP-Fields as either
        # * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
        # * name of an LDAP-Field (may return empty strings) ("givenName")
        # * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
        $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname => 'sn',
        UserEmail => 'mail',
        UserPhone => 'telephonenumber',
        UserAddress => 'streetaddress',
        };

        # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
        $Self->{'AuthSyncModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
        };
        # Net::LDAP::start_tls verify type (if needed - for more info see Net::LDAP::start_tls)
        # $Self->{'AuthSyncModule::LDAP::StartTLS'} = 'required';

        # Die if backend can't work, e. g. can't connect to server.
        $Self->{'AuthSyncModule::LDAP::Die'} = 0;

        # UserTable
        $Self->{DatabaseUserTable} = 'users';
        $Self->{DatabaseUserTableUserID} = 'id';
        $Self->{DatabaseUserTableUserPW} = 'pw';
        $Self->{DatabaseUserTableUser} = 'login';

        $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

    • Autor
      Beiträge
    Ansicht von 0 Antwort-Themen
    • Du musst angemeldet sein, um auf dieses Thema antworten zu können.