How to implement SSO in osticket

roopa

I need to login in osticket application from other website. Can any body help me with this?
Any plugin that needs to be used?

Osticket v1.9.11 , PHP 7, MYSQL 5.6.41

roopa

roopa
Hi ntozier
I have updated osticket version with the latest version.
For SSO implementation , I have written a script.

Fetch "Employee Code" and "Employee username" from Request URL.
Created a new table in database for storing sso_login_user : Where all the user details are stored.
Check that if the user is allowed for SSO login.
If yes, than fetch user email and user name from sso_login_user table.
Check user email exists in user_email table.
a) If No, than insert data in "user" and "user_email" table
"user_account" insert user details (employee code as "username" and Passwd::hash($employee_code.$bytes) as "password")

b) If Yes
Update "user" table updated column with latest timestamp
Update "user_account" table passwd, registered with Passwd::hash($employee_code.$bytes) as "password" and latest timestamp.
The I set username and passwd as :
$username = $emp_code;
$passwd = $emp_code.$bytes;

Updated login.php is as :

<?php

require_once('client.inc.php');
if(!defined('INCLUDE_DIR')) die('Fatal Error');
define('CLIENTINC_DIR',INCLUDE_DIR.'client/');
define('OSTCLIENTINC',TRUE); //make includes happy

require_once(INCLUDE_DIR.'class.client.php');
require_once(INCLUDE_DIR.'class.ticket.php');

if ($cfg->getClientRegistrationMode() == 'disabled'
|| isset($_POST['lticket']))
$inc = 'accesslink.inc.php';
else
$inc = 'login.inc.php';

$suggest_pwreset = false;

// Check the CSRF token, and ensure that future requests will have to use a
// different CSRF token. This will help ward off both parallel and serial
// brute force attacks, because new tokens will have to be requested for
// each attempt.
if ($_POST) {
// Check CSRF token
if (!$ost->checkCSRFToken())
Http::response(400, __('Valid CSRF Token Required'));

// Rotate the CSRF token (original cannot be reused)
$ost->getCSRF()->rotate();

}

//Check if user coming from portal for single sign on
if (isset($GET['e']) && !empty($GET['c'])) {
include_once 'singleSignOn.php';
$POST['luser'] = $username;
$POST['lpasswd'] = $passwd;
}
if (($POST && isset($POST['luser'])) ) {
if (!$POST['luser'])
$errors['err'] = __('Valid username or email address is required');
elseif (($user = UserAuthenticationBackend::process($POST['luser'],$_POST['lpasswd'], $errors))) {
if ($user instanceof ClientCreateRequest) {
if ($cfg && $cfg->isClientRegistrationEnabled()) {
// Attempt to automatically register
if ($user->attemptAutoRegister())
Http::redirect('tickets.php');

            // Auto-registration failed. Show the user the info we have
            $inc = 'register.inc.php';
            $user_form = UserForm::getUserForm()->getForm($user->getInfo());
        }
        else {
            $errors['err'] = __('Access Denied. Contact your help desk administrator to have an account registered for you');
            // fall through to show login page again
        }
    }
    else {
        Http::redirect($_SESSION['_client']['auth']['dest']
            ?: 'tickets.php');
    }
} elseif(!$errors['err']) {
    $errors['err'] = sprintf('%s - %s', __('Invalid username or password'), __('Please try again!'));
}
$suggest_pwreset = true;

}
elseif ($POST && isset($POST['lticket'])) {
if (!Validator::is_email($POST['lemail']))
$errors['err'] = __('Valid email address and ticket number required');
elseif (($user = UserAuthenticationBackend::process($POST['lemail'],
$_POST['lticket'], $errors))) {

    // If email address verification is not required, then provide
    // immediate access to the ticket!
    if (!$cfg->isClientEmailVerificationRequired())
        Http::redirect('tickets.php');

    // This will succeed as it is checked in the authentication backend
    $ticket = Ticket::lookupByNumber($_POST['lticket'], $_POST['lemail']);

    // We're using authentication backend so we can guard aganist brute
    // force attempts (which doesn't buy much since the link is emailed)
    $ticket->sendAccessLink($user);
    $msg = sprintf(__("%s - access link sent to your email!"),
        Format::htmlchars($user->getName()->getFirst()));
    $_POST = null;
} elseif(!$errors['err']) {
    $errors['err'] = sprintf('%s - %s', __('Invalid email or ticket number'), __('Please try again!'));
}

}
elseif (isset($GET['do'])) {
switch($GET['do']) {
case 'ext':
// Lookup external backend
if ($bk = UserAuthenticationBackend::getBackend($_GET['bk']))
$bk->triggerAuth();
}
}
elseif ($user = UserAuthenticationBackend::processSignOn($errors, false)) {
// Users from the ticket access link
if ($user && $user instanceof TicketUser && $user->getTicketId())
Http::redirect('tickets.php?id='.$user->getTicketId());
// Users imported from an external auth backend
elseif ($user instanceof ClientCreateRequest) {
if ($cfg && $cfg->isClientRegistrationEnabled()) {
// Attempt to automatically register
if ($user->attemptAutoRegister())
Http::redirect('tickets.php');

        // Unable to auto-register. Fill in what we have and let the
        // user complete the info
        $inc = 'register.inc.php';
    }
    else {
        $errors['err'] = __('Access Denied. Contact your help desk administrator to have an account registered for you');
        // fall through to show login page again
    }
}
elseif ($user instanceof AuthenticatedUser) {
    Http::redirect($_SESSION['_client']['auth']['dest']
            ?: 'tickets.php');
}

}

if (!$nav) {
$nav = new UserNav();
$nav->setActiveNav('status');
}

// Browsers shouldn't suggest saving that username/password
Http::response(422);

require CLIENTINC_DIR.'header.inc.php';
require CLIENTINC_DIR.$inc;
require CLIENTINC_DIR.'footer.inc.php';
?>

Now when I hit the url from other portal it moves to osticket portal but gives "Access Denied" message.
Even though "Username","Profile" and "Sign out" option is crearly visible in Menu.
So why it is giving Access denied message?
Any other variable that needs to be initialised/set?

ntozier

The version of osTicket that you are running is end of life.

There is no mechanism built into osTicket to allow a webpage to log into it. You would need to write a script to do what you needed it to do.

ntozier

roopa Passwd::hash($employee_code.$bytes)

My guess would be that this ^.

Take a look at the
class Passwd located in /include/class.passwd.php
class PasswordHash locate in /include/PasswordHash.php
to make sure that you are encoding the password correctly.

roopa

Hi ntozier
Thanks for reply. I went through listed files.
Now when I click "single sign on" link from my other portal.
Login is successful and Ticket page is shown.

But if I click "single sign on" link again without signing out from osticket portal.
"Access denied" message is shown, but "Username","Profile" and "Sign out" option is clearly visible in Menu.

So I why the second time login giving access denied message. Since we see from the menu that user is logged in .
Is there any other table where user login details are maintained? Or it's checked that user is already logged in system. SO second attempt to login is not allowed?

ntozier

Sorry but I do not know the answer to that...
I'm not aware of any limits to the same agent being logged in at multiple locations.
It probably has something to do with how you login code.
I'll ask a dev to take a look at this and see if they know.

namangarg

hello ,

i can read your post and this is very helpfull for me ,

thanks for sharing this information .

thanks

KevinTheJedi

@roopa @namangarg

In your screenshot it says "Access Denied" but you can clearly see that you are logged in. I would assume this has something to do with your customizations. Please remove the customizations and retest clicking a link twice. If it works in core osTicket then the issue is due to your customizations and really that's something for you to resolve/work out. IF however the same issue occurs in core osTicket then this is definitely a bug that needs to be looked into.

Cheers.

roopa

KevinTheJedi
Thanks Kevin !
I will try and get back to you with feedback.

wasimss123

Roopa can you please share complete code and table structure which we have created