OAuth with Google for a user behind another SSO platform

phyxiis

Our environment is as such: all google accounts are behind OneLogin for SSO for Google (except a test OU which uses Google creds).

I have osTicket set up for OAuth with Google for SSO (works on my test account which utilizes Google creds). I run into issues when I put that test account in an OU that falls behind OneLogin for creds.

What happens is I go to osTicket->login->authenticate with google->type in google account->redirects me to OneLogin->enter OneLogin creds (same as Google for the test account)->OneLogin redirects me to an Access Denied page. If I go back to osTicket it goes through that same loop (the account is not authenticated)

Anyone have any insight into how I can get OAuth to work when a Google account is behind another platform for SSO?

KevinTheJedi

phyxiis

Can you try to configure SSO for OneLongin instead of Google? What does the URL look like when it redirects back?

Cheers.

phyxiis

KevinTheJedi we don't use Microsoft (if you're referring to MS365). I've tried looking at the "Other OAuth2" option but there's some values that osTicket are requiring which OneLogin doesn't offer. I'll try to look at it again and post the values that don't exist in OneLogin but are required in osTicket.

KevinTheJedi

phyxiis

Sorry I meant Google lol

Cheers.

phyxiis

I believe OneLogin only has the OpenID (which is Oauth2). I'm not a developer so figuring out the scopes portion seems daunting lol Trying to configure things and test

phyxiis

So I think I have it configured, but when I click on "Sign in with OneLogin" it takes me to OneLogin, I authenticate, then it redirects me back to the osTicket homepage (or the login page) and the "Sign in" doesn't change to my name. OneLogin has a successful "oidc get code" (whatever that means). The test user does show successful login from the OneLogin side.

It seems the osTicket side isn't reflecting the successful authentication?

phyxiis

Sometimes I think IT people figure things out by clicking buttons in certain combinations lol OneLogin I changed to "POST" instead of "Basic" for the Token Endpoint/Authentication Method and it logged me in lol