Hey Peter, and for anyone else looking to get this working, I will share how I got this working. This took me a while so I’m hoping this helps save other people time in future.
This is working fine for me in RT 5.0.3 with Apache2 on Ubuntu 22.04 using Certbot for SSL and Postgresql for DB. Your mileage may vary.
First of all, there’s no need to use an RT extension to enable this, because RT supports the REMOTE_USER environment variable, and if you are using Apache2 for a web server, there are extensions that can setup OpenID Connect so that Apache2 will authenticate you against Azure AD using OAuth2.0 and pass through claim as the REMOTE_USER request-specific environment variable.
I didn’t find any direct documentation on how to do this, so I had to piece together bits. The REMOTE_USER documentation is pretty much aimed only at Active Directory / LDAP authentication.
Prerequisites
To start with, make sure that you install the apache2 mod auth_openidc. On Ubuntu, this is packaged as libapache2-mod-auth-openidc
sudo apt install libapache2-mod-auth-openidc
Then, enable the mod and restart apache2
sudo a2enmod auth_openidc
Make sure your RT is using SSL. I used Certbot for this, instructions:
sudo apt install python3-certbot python3-certbot-apache
sudo certbot
Follow the prompts to enable SSL for your RT virtualhost, then update the RT configuration to suit SSL.
vim /opt/rt5/etc/RT_SiteConfig.pm
Set( $WebPort, '443' );
Update your rt-mailgate configuration to suit (I use /etc/aliases):
rt: "|/opt/rt5/bin/rt-mailgate --queue general --action correspond --url https://<rturl.company.com.au>/"
rt-comment: "|/opt/rt5/bin/rt-mailgate --queue general --action comment --url https://<rturl.company.com.au>/"
Certbot will create a 2nd configuration in your /etc/apache2/sites-available/ directory with -le-ssl.conf appended to the file name. Your old configuration will be updated to redirect to SSL and the new configuration will have the SSL configuration in it. Certbot will create a cron entry to renew your certificate automatically.
Restart apache2 and make sure RT is working, test submitting ticket via email, etc. If it’s working, continue, otherwise, troubleshoot.
Setup Azure AD
Authenticating against your Azure AD is fairly straight-forward, but requires that you know a few things.
We’ll go over how to get the information you need here.
- tenant-id Your tenant_id can be found in your Azure Portal AD Settings Page. It will be referred to as the Directory ID
- client-id Your app_id. This you get when you create a new App in the Azure Portal. We will need this in module configuration as OIDCClientID
- client-secret Your app’s client_secret. You’ll get this when you go through setting up the rest of the newly registered App you just created. It will be referred to as the OIDCClientSecret in our module configuration.
- random-passphrase The some_custom_passphrase should be something you generate that’s lengthy and specific to your server. Generally, this is some 32-character long thing, like: ZasT5bgtwzA4RKcGPz68wvWVtBj8dzwV or some such.
- rturl.company.com.au Your RT URL.
Create new Application
- Login to the Azure AD portal
App registrations
- New application registration
- Choose any name that fits for your
- Choose the account type for your environment
- Reply URI
- Web
- The URI must match the OIDCRedirectUri you configure in mod_auth_openidc later
- I used https://<rturl.company.com.au>/login for this which works for me (replace rturl.company.com.au with your rt domain)
Hit button “Register”
- Application ID will be used as OIDCClientID in module configuration
- Directory (tenant) ID will be needed for your module configuration
Manage > Certificates & secrets
- New Client Secret
- Enter a description
- Choose a expiration duration
- Hit button “Add”
Copy that value (key) You will never see it again !!! This will be used as OIDCClientSecret in module configuration later
Manage > Token configuration
- Add optional claim
- Token Type: ID
- Select upn
Click button “Add”
- Confirm Turn on the Microsoft Graph profile permission (required for claims to appear in token).
Click button “Add”
Manage > Authentication
- Implicit grant and hybrid flows
- Check the box next to Access tokens (used for implicit flows)
- Check the box next to ID tokens (used for implicit and hybrid flows)
Click button “Save”
Apache configuration
This is my apache2 configuration, yours will differ somewhat, but this should get you started. You’ll need to replace the following throughout:
- tenant-id
- rturl.company.com.au
- client-id
- client-secret
- random-passphrase
cat /etc/apache2/sites-available/rt-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost <rturl.company.com.au>:443>
# OIDC settings
OIDCProviderMetadataURL https://sts.windows.net/<tenant-id>/.well-known/openid-configuration
OIDCRedirectURI https://<rturl.company.com.au>/login
OIDCClientID <client-id>
OIDCClientSecret <client-secret>
OIDCCryptoPassphrase <random-passphrase>
OIDCRemoteUserClaim upn
OIDCStateMaxNumberOfCookies 10 true # not sure if this is needed
# END OIDC settings
ErrorLog /opt/rt5/var/log/apache2.error
TransferLog /opt/rt5/var/log/apache2.access
LogLevel debug
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
LimitRequestFieldSize 32768
ServerName <rturl.company.com.au>
AddDefaultCharset UTF-8
ScriptAlias / /opt/rt5/sbin/rt-server.fcgi/
DocumentRoot "/opt/rt5/share/html"
<Location />
#OIDC Settings
SSLRequireSSL
SSLOptions +StdEnvVars
AuthType openid-connect
Require valid-user
AllowOverride Authconfig Limit
Order allow,deny
Allow from all
# End OIDC Settings
Options +ExecCGI
AddHandler fcgid-script fcgi
</Location>
<Location /REST/1.0/NoAuth/mail-gateway>
Require local
</Location>
SSLCertificateFile /etc/letsencrypt/live/<rturl.company.com.au>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<rturl.company.com.au>/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Configure RT
First, you need to make sure to update your RT user that you are going to login with to use their email address as their user name. This tripped me up at first.
Next, create a new file, /opt/rt5/etc/RT_SiteConfig.d/SSO.conf:
Set($WebRemoteUserAuth, 1);
Set($WebFallbackToRTLogin, 1); # Not neccessary but I like this
Set($WebRemoteUserContinuous, 1); # also not neccessary, this is the default
Now, restart apache2 and you should be able to login with SSO to Azure AD!
sudo systemctl restart apache2
I’m not sure if this will work with multi-tenant so your customers can login to self-service using SSO, that’s what I’m going to test next.
Disclaimer: This is my configuration and it works okay for me. No guarantee that this will work for you. If you want me to consult in your implementation, please feel free to fill out the contact form on my website https://mawsontech.com.au .