OAuth - filter users - osTicket Forum

OAuth - filter users

alepensato

Hello,
I am testing the OAuth access method, actually with GSuite, but I cand find a method to restrict che access to osticket only to some users and not to all ones that are registered into the authentication server.

For example, I have 100 registered users in GSuite/Microsoft, and 50 are emploied to one city and others 50 in another city. So, I want to grant access to osticket only to users that works in the City1.
It is possible do this? In which way can I reach this goal?
Regards

KevinTheJedi

alepensato

At this time you can only restrict at the IdP (Identity Provider) level (if they allow it). osTicket doesn’t care, it simply directs the user/agent to the IdP and gets a response back saying if they are authenticated or not.

Cheers.

alepensato

Ok this a big problem for me, that make this solution unusable.
And OSTicket does not take care if the user registration is private or public. If an user have the "OK" from the IdP it it selfregisterd in OSTicket user

KevinTheJedi

alepensato

Yes, as they are considered pre-authorized users. For google, apparently you can restrict the App to a specific Organizational Unit (according to a random comment on StackOverflow).

Google also has a parameter called hd that can restrict to a domain and we might implement this in the future. However, even this parameter is limited to either a single domain or an asterisk (what it uses currently). In theory though you could configure a separate plugin instance for each allowed domain.

Other than that, if you have complaints I’d recommend making a feature request with google to expand their filtering options for OAuth2.

Cheers.

alepensato

I used My GSuite just for test the system but I have to use Office365 were I do not have access as Administrator

KevinTheJedi

alepensato

Then contact your admin..?

Cheers.

alepensato

KevinTheJedi
This is not easy. Another "problem" is that I loaded end ordered users from the LDAP source were I mapped the employeeID and Department.
With OAuth I think that this work will be lost

KevinTheJedi

alepensato

I apologize but I am not following what you mean here.

Cheers.

alepensato

before use OAuth.... I used the LDAP plugin with a PRIVATE user registration.
Instead of add manually users, I imported they and added some information like department and employeeID

KevinTheJedi

alepensato

Even with LDAP if they exist in the OU they will be authenticated and auto-registered even if the Registration is set to Private.

If you manually import users from LDAP you can do the same with OAuth2.

Cheers.

alepensato

KevinTheJedi
No, because with OAuth you told that user registation is automatic, but I do non want that all users that have a valid Oauth account can be login into osticket

KevinTheJedi

alepensato

For google sso you can make the project internal and make sure it’s under a specific organization. At that point only those users under the org should be able to authenticate.

If you have multiple organizations you would create multiple projects inside the google cloud console respective for each org and create a new plugin instance for each org/project.

The same goes for Microsoft but you would make the app single tenant under the correct tenant so only the users under the tenant can authenticate or make the app require assignment and then assign specific users to the app:

https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users

Cheers.