Hi guys,
I have just upgraded to the latest version 1.9.6 of osTicket. LDAP is working well and I would like to implement SSO, so that user/ agent does not need to continuously login with username and password. Could anyone explain to me on how to implement SSO? Any advice or steps provided would be greatly appreciated. Thank you.
Take a look at the following discussion ;)http://forum.osticket.com/d/discussion//http-passthru#latest
@[deleted]Thanks for the reply. I have followed the steps provided in the link given to implement SSO. I have even tried for the little index.html at the root dir of the webserver, so that user does not need to click on the Sign In link. It works fine as an user where the user is directed to index.php without clicking on the Sign In link once the user open the osTicket browser.So, my question is can I have the situation when the agent open the osTicket browser and automatically direct the agent to /scp just like the user is directed to index.php without clicking on the Sign In link?? <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>osTicket @ YOUR COMPANY</title>
</head>
<body>
<!-- Load osticket/login.php in background (silent login) -->
<!-- Redirect to osticket/index.php afterwards -->
<script type="text/javascript">
window.onload = function() {
var login = new XMLHttpRequest();
if(condition to verify as an agent) //how to check if the user is an agent?
{
login.open('GET', 'osticket/scp/login.php', false);
login.send(null);
location.href = 'osticket/scp';
}
else
{
login.open('GET', 'osticket/login.php', false); login.send(null); location.href = 'osticket/index.php';
}
};
</script>
<!-- In case redirection fails, show instructions for users -->
<h1>Welcome to the Support Center</h1>
<h2>Signing you in, so please wait a few seconds...<br><br>You will be redirected automatically...</h2>
<h3>In case redirect does not work:<br><br><a href="osticket/index.php">Support Center</a></h3>
</body>
</html>
Really good idea!I guess this requires something like a list, e.g. text file with the agent names or a (read-only) connection to the osticket database to check if the user is an agent, but I think it definitely work. So this would be the point I'd start, but I don't have a clue at the moment how to realize it in detail and unfortunately no time to look further into this. So when you're finding an easy way to achieve it, let us/me know. I'll hopefully have some time next week to further improve our little login script.
@[deleted]
Yes. You are right! I got the same thought as you. But I have one question, how can I get user-account that was given by the webserver, so that I can check the user-account with the osticket database whether the user is a staff or a client?
I guess you get it via HTTP_REMOTE_USER or HTTP_USER variables of the web server - need to look into that myself, don't know if I remember that correctly.Beside, there is one more case which shall be handeled - agent and user account registered with the same account details (name, mail). We have this here since we have different departments and when we then open a ticket as end user. So there is a third case - agent + end user. I personally would handle that third case by asking (e.g. popup window) or displaying two buttons (scp / end user portal), so the user / agent can select whether to go to the scp or to the end user portal.Cool would be something like a timeout (e.g. 5 seconds) and after that it goes for that case automatically to the scp and if the agents hits a button or so, it goes to the end user portal instead.
@[deleted]
Spent some time today to improve it and got it already working, but it's still quick and dirty - hopefully I find the time tomorrow too, to make it a bit nicer and then post the updated version here (^_^)
Cheers,
Michael
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>osTicket @ Your Company</title>
</head>
<body>
<!-- In case redirection fails, show instructions for users -->
<h1>Welcome to the Support Center</h1>
<h2>Signing you in, please wait a few seconds.<br>You will be redirected automatically...</h2><br><br>
<h1>In case redirect does not work:<br></h1>
<h1><a href="osticket/index.php">Support Center</a></h1>
<?php
// Get username from webserver using REMOTE_USER
// Separate username and domain - method: split after @ symbol
$usernameATdomain = $_SERVER;
$ATposition = strpos($usernameATdomain,"@");
$username = substr($usernameATdomain, 0, $ATposition);
// Alternative method:
// Separate username and domain - method: using domain array
//$domain = array('@DOMAIN.COM' => '');
//$username = $_SERVER;
//$username = strtr($username, $domain);
// Make sure username has a value before querying database
if (!empty($username))
{
// MySQL connection settings - readonly account recommended:
// CREATE USER 'osticket-readonly'@'localhost' IDENTIFIED BY 'PASSWORD';
// GRANT SELECT (username) ON osticket.ost_staff TO 'osticket-readonly'@'localhost';
define('DBHOST','localhost');
define('DBNAME','osticket');
define('DBUSER','osticket-readonly');
define('DBPASS','PASSWORD');
// Connect to database
$mysqli = new mysqli(DBHOST, DBUSER, DBPASS, DBNAME);
// Check for connection errors
if (!$mysqli->connect_errno)
{
// Query ost_staff table for REMOTE_USER username
$qry_is_agent = "SELECT username FROM ost_staff WHERE username LIKE '" . $username . "'";
$res_is_agent = $mysqli->query($qry_is_agent);
$is_agent = $res_is_agent->num_rows;
}
}
else
{
// Assume user is not an agent
$is_agent = 0;
}
?>
<!-- Load login.php in background for silent login -->
<script type="text/javascript">
window.onload = function() {
var login = new XMLHttpRequest();
login.open('GET', 'osticket/login.php', false);
login.send(null);
};
</script>
<?php
// Username found in the ost_staff table?
// YES --> 1 --> Agent --> Redirect to scp after timeout
// NO --> 0 --> User --> Redirect to end user portal
if ($is_agent == "1")
{
?>
<!-- Redirect to scp after timeout, 1000 = 1 second -->
<script type="text/javascript">
setTimeout('location.href = "osticket/scp/"', 5000);
</script>
<?php
}
else
{
?>
<!-- Redirect to end user portal -->
<script type="text/javascript">
location.href = "osticket/open.php";
</script>
<?php
}
?>
</body>
</html>
Make sure you save it as index.php and include it in the kerberos / sso config of the web server (if not already) otherwise an error message will appear since REMOTE_USER won't have a value then.
@[deleted]
Thank you so much for your big help. I feel appreciate for it.
It works well for me with the alternative method. The method is clear and understandable. The result is what I desire for.
Thank you! =)
@[deleted] I have one confusion here. Why do we need to have this ( $username = strtr($username, $domain); ) instead of just getting the username from server ( $username = $_SERVER; ) directly and compare with the database username?
@[deleted]Not sure if it's necessary for your environment, but in our environment it looks like:LDAP/SSO:- First and Last Name of the user: John Doe- Username: doe- Domain: ourdomain.comWeb server:- $_Server: doe@ourdomain.comosTicket database:- Username: doeSo because the webserver gives the "username"@"domain" -> doe@ourdomain.com, but in osTicket as well as LDAP the username and domain are separated, it's (at least in our environment) necessary to cut domain part from the username (using the first or the alternative second, commented out, method) since otherwise the username given by $_Server and the username from the osTicket database won't match.If this is not necessary in your environment you can comment out the 3 lines and add $username = $_SERVER; but to be sure, I would suggest to easily add the following to see how the usernames look like:echo "Welcome " . $_SERVER;
@[deleted]Thanks a lot for the brief explanation!! I understand now. The improvement that you did on this is working very well. Thanks for sharing it with me =)
@[deleted]Updated the code a little bit to check if the username contains an @ symbol or not and if so, remove it, otherwise it will take the username without the @[deleted] part and if the REMOTE_USER is empty it will set the username to an empty string. Marked the changed code with a color, so it's easier to see what I changed ;)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>osTicket @ Your Company</title>
</head>
<body>
<!-- In case redirection fails, show instructions for users -->
<h1>Welcome to the Support Center:<br><?php echo $_SERVER; ?></h1><br>
<h2>Signing you in, please wait a few seconds.<br>You will be redirected automatically...</h2><br>
<h1>In case redirect does not work:<br><a href="osticket/index.php">Support Center</a></h1>
<?php
// Make sure $_SERVER has a value
if (!empty($_SERVER))
{
// Get username from webserver using REMOTE_USER
// Separate username and domain when necessary - method: split after @ symbol
$usernameATdomain = $_SERVER;
// Make sure username has the @[deleted] part
if (preg_match('/@/',$usernameATdomain))
{
$ATposition = strpos($usernameATdomain,"@");
$username = substr($usernameATdomain, 0, $ATposition);
}
// Assume username is already in the correct format
else
{
$username = $usernameATdomain;
}
}
// Set username to an empty string since it could not be retrieved correctly
else
{
$username = '';
}
// Make sure username has a value before querying database
if (!empty($username))
{
// MySQL connection settings - readonly account recommended:
// CREATE USER 'osticket-readonly'@'localhost' IDENTIFIED BY 'PASSWORD';
// GRANT SELECT (username) ON osticket.ost_staff TO 'osticket-readonly'@'localhost';
define('DBHOST','localhost');
define('DBNAME','osticket');
define('DBUSER','osticket-readonly');
define('DBPASS','PASSWORD');
// Connect to database
$mysqli = new mysqli(DBHOST, DBUSER, DBPASS, DBNAME);
// Check for connection errors
if (!$mysqli->connect_errno)
{
// Query ost_staff table for REMOTE_USER username
$qry_is_agent = "SELECT username FROM ost_staff WHERE username LIKE '" . $username . "'";
$res_is_agent = $mysqli->query($qry_is_agent);
$is_agent = $res_is_agent->num_rows;
}
}
else
{
// Assume user is not an agent
$is_agent = 0;
}
?>
<!-- Load login.php in background for silent login -->
<script type="text/javascript">
window.onload = function() {
var login = new XMLHttpRequest();
login.open('GET', 'osticket/login.php', false);
login.send(null);
};
</script>
<?php
// Username found in the ost_staff table?
// YES --> 1 --> Agent --> Redirect to scp after timeout
// NO --> 0 --> User --> Redirect to end user portal
if ($is_agent == "1")
{
?>
<!-- Redirect to scp after timeout, 1000 = 1 second -->
<script type="text/javascript">
setTimeout('location.href = "osticket/scp/"', 5000);
</script>
<?php
}
else
{
?>
<!-- Redirect to end user portal -->
<script type="text/javascript">
location.href = "osticket/open.php";
</script>
<?php
}
?>
</body>
</html>
@[deleted]Thank you so much for sharing here! works very well :)
Hi @[deleted] I have one question here. After I implementing the SSO, I always received an error email from the system on DB Error #1062 whenever a new user uses the system.. The error is something related to the insertion for duplicate entry of username. Is there any files that perform insertion function more than once?? Thank youExample :Duplicate entry 'arockiax' for key 'username' ---- Backtrace ----#0 (root)/include/mysqli.php(177): osTicket->logDBError('DB Error #1062', '[INSERT INTO os...')#1 (root)/include/class.orm.php(223): db_query('INSERT INTO ost...')#2 (root)/include/class.user.php(831): VerySimpleModel->save()#3 (root)/include/class.auth.php(111): UserAccountModel->confirm()#4 (root)/login.php(114): ClientCreateRequest->attemptAutoRegister()#5 {main}
Hi @[deleted],
never experienced this at our installation and I am also not aware of any function that does registration more than once.
Michael
The only area of OSTicket which I recall (been a while now) is email. I believe when a user emails in to create a ticket there is a check of sorts against the DB for username etc and if I recall that check is separate from the check used directly on the login page....I could be wrong but for some reason I have that as a potential target to look at for this issue.
@Chefkeks
Hi
I tried to access following link
http://forum.osticket.com/d/discussion//http-passthru#latest
But getting "The page you requested could not be found." message.
Actually I want to implement SSO login on osticket application.
Can you help me with this?
This thread is from 2015.
Please do not be a necromancer.
Maybe you mean to go to: https://forum.osticket.com/d/79083-http-passthru
Killing zombie thread with a head shot.
