Cookie-based auth works, but takes me to login page

RT Users
1

I’ve set up our RT installation to redirect non-authenticated users to
a page that authenticates them, sets a cookie and updates a database,
and then redirects them to the RT ‘home’ page.

After the redirect users are sent to the RT login page, but it looks
weird. Our logo is scaled to be very large, the screen color is wrong,
etc.

Anyhow, if they hit reload at the login page RT reloads and takes them
to their dashboard and displays everything properly.

How can I tell RT to take them directly to their dashboard instead
of displaying the Login page after successfully authenticating with
RT::Authen::ExternalAuth::DBI::Cookie?

Here’s what the logs show right before the login page is displayed:

[Fri Jan 24 08:31:14 2014] [debug]: ExternalInfoPriority not defined. User information (including user enabled/disabled cannot be externally-sourced (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:162)
[Fri Jan 24 08:31:14 2014] [debug]: Attempting to use external auth service: My_SSO_Cookie (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:213)
[Fri Jan 24 08:31:14 2014] [debug]: RT::Authen::ExternalAuth::DBI::GetCookieAuth Checking Browser Cookies for an Authenticated User (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:502)
[Fri Jan 24 08:31:14 2014] [debug]: Cookie Found :: rtauth (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm:98)
[Fri Jan 24 08:31:14 2014] [debug]: User ( ------- ) was authenticated by a browser cookie (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:582)
[Fri Jan 24 08:31:14 2014] [debug]: Pass not going to be checked, attempting SSO (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:234)
[Fri Jan 24 08:31:14 2014] [debug]: Password check bypassed due to SSO method being in use (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:301)
[Fri Jan 24 08:31:14 2014] [debug]: Password Validation Check Result: 1 (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:308)
[Fri Jan 24 08:31:14 2014] [debug]: Authentication successful. Now updating user information and attempting login. (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:328)
[Fri Jan 24 08:31:14 2014] [info]: Successful login for ------- from 10.0.0.1 (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:368)
[Fri Jan 24 08:31:14 2014] [debug]: Autohandler called ExternalAuth. Response: (1, Successful login) (/usr/services/rt-4.0.16/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:16)

Thanks for any tips,

Chris

tl;dr: Cookie-based auth takes me to a login page instead of a dashboard.
Reloading the login page displays the proper dashboard. How can I
just go directly to the dashboard?

2

Hi there, did anyone ever respond to this post off list? I am having a very
similar issue and am just wondering if there is a proper configuration guide
(or if someone could walk me through it or provide a working example) on how
to enable SSO to pass the external authentication cookie to RT and take the
user directly into their specific account within RT?

I did not see much detail at these links specific to “My_SSO_Cookie”:

This second link shows sort of an example that is somewhat useful
(immediately below) but I’m just wondering if anyone could provide an
example with some of the “default” values filled in here related to the RT
database/tables? I’m concerned with the second My_MySQL parameter and how
to populate that but I’m most concerned the cookie parameters c_table,
c_field, c_match_key … is this inferring that the RT database should have
this information or am I way off base?

Set($ExternalSettings, { # An example SSO cookie service ‘My_SSO_Cookie’ =>
{ ‘type’ => ‘cookie’, ‘name’ => ‘loginCookieValue’, ‘u_table’ => ‘users’,
‘u_field’ => ‘username’, ‘u_match_key’ => ‘userID’, ‘c_table’ =>
‘login_cookie’, ‘c_field’ => ‘loginCookieValue’, ‘c_match_key’ =>
‘loginCookieUserID’, ‘db_service_name’ => ‘My_MySQL’ }, ‘My_MySQL’ => { …
}, } );

I would be extremely grateful if someone were to show a redacted full
working example of this configuration!

Thank you much

View this message in context: http://requesttracker.8502.n7.nabble.com/Cookie-based-auth-works-but-takes-me-to-login-page-tp56394p61338.html

3

CAVEAT I’ve never used this module.

Hi there, did anyone ever respond to this post off list? I am having a very
similar issue and am just wondering if there is a proper configuration guide
(or if someone could walk me through it or provide a working example) on how
to enable SSO to pass the external authentication cookie to RT and take the
user directly into their specific account within RT?

I did not see much detail at these links specific to “My_SSO_Cookie”:

RT::Authen::ExternalAuth - RT Authentication using External Sources - metacpan.org
https://metacpan.org/pod/RT::Authen::ExternalAuth::DBI::Cookie

This second link shows sort of an example that is somewhat useful
(immediately below) but I’m just wondering if anyone could provide an
example with some of the “default” values filled in here related to the RT
database/tables? I’m concerned with the second My_MySQL parameter and how
to populate that

There is a link at the bottom of the
https://metacpan.org/pod/RT::Authen::ExternalAuth::DBI::Cookie docs.
I’ve pasted it below for convenience:

but I’m most concerned the cookie parameters c_table,

c_field, c_match_key … is this inferring that the RT database should have
this information or am I way off base?

From looking at the configs, I believe something other than RT is
giving the browser a cookie and placing that cookie value into a
database.

RT::Authen::ExternalAuth::DBI::Cookie is just the glue between RT and
that authenticating service.

-m

4

CAVEAT I’ve never used this module.

There is a link at the bottom of the
https://metacpan.org/pod/RT::Authen::ExternalAuth::DBI::Cookie docs.
I’ve pasted it below for convenience:

RT::Authen::ExternalAuth::DBI - External database source for RT authentication - metacpan.org

Thanks for the quick response- I did see that link and took a look, but I
was not certain I had to configure all of those details outlined at this
link you mentioned: RT::Authen::ExternalAuth::DBI - External database source for RT authentication - metacpan.org
since I’m only going to be using the “My_SSO_Cookie” ExternalAuth and not
really directly using the “My_MySQL” external auth other than as a result of
“My_SSO_Cookie” depending on it in at least some capacity it seems. Hope
that makes sense…I’m just trying to minimize my config to only use the
least possible to make “My_SSO_Cookie” work.

From looking at the configs, I believe something other than RT is
giving the browser a cookie and placing that cookie value into a
database.

RT::Authen::ExternalAuth::DBI::Cookie is just the glue between RT and
that authenticating service.

Yes, I did understand that much, but as far as I’m aware unless something
(Maybe “My_MySQL”??) writes these to a (RT’s?) database I don’t see how I
would be populating the c_table, c_field, c_match_key otherwise? My
external auth service is a SSO solution that sets a cookie in my browser and
I can view that cookie using Chromes Cookie Inspector extension but there is
no “database-like” structure to a/the cookie so I’m a bit confused by the
parameters sounding like they should be from a database?

Basically, I’m trying to discover the simplest way possible how do I get the
cookie from the browser passed on to RT where RT says

“I’ve checked the SSO cookie for User1 and User1 is already authenticated”
“I’ve now checked the RT database and User1 exists in the RT database”
“Now that I Know User1 exists I’m presenting his specific User1 RT session
and dashboard etc. etc.”
“User1 is now fully automatically logged into RT based on his SSO
authentication service cookie”

Any clarity surrounding how this is done or if anyone does this currently
and could shed some light on how to do this such as a working example config
or just with more detail than the docs provide would be extremely helpful
and I would be even more grateful!

Thanks again-

View this message in context: http://requesttracker.8502.n7.nabble.com/Cookie-based-auth-works-but-takes-me-to-login-page-tp56394p61340.html

5

Hi dwdixon,

I wish I could show you a concrete working example. I had this working
some time ago but abandoned it in favor of straight LDAP when we changed
intranets.

I believe you have it not quite correct when you speak of trying to get the
cookie from the browser to RT. Actually, it is the server side cookie you
need be concerned about.

The RT::Authen::ExternalAuth::DBI::Cookie provides a configuration for you
to reach into the database of another system to match existing cookies
against users.

Imagine you have, say, a WordPress intranet that is configured to store a
cookie each time a user logs in. As you probably know, that cookie is kept
for the duration of the session and obviates the need for the user to login
on each subsequent page visit. If you can configure said intranet (beyond
the scope of the RT documentation unfortunately) to store those cookies
into tables in, say, a MySQL database,
RT::Authen::ExternalAuth::DBI::Cookie can use the same database to lookup
those cookies and match them to a user in RT, thereby allowing the user to
login to RT without a password as well. You don’t need to write the
cookies to RT’s database, it will reach into the other database and look at
them.

I know I’m not getting you much further down the path but hopefully just a
bit helpful.

-JohnOn Wed, Feb 10, 2016 at 2:36 PM, dwdixon dwdixon@umich.edu wrote:

CAVEAT I’ve never used this module.

There is a link at the bottom of the
https://metacpan.org/pod/RT::Authen::ExternalAuth::DBI::Cookie docs.
I’ve pasted it below for convenience:

RT::Authen::ExternalAuth::DBI - External database source for RT authentication - metacpan.org

Thanks for the quick response- I did see that link and took a look, but I
was not certain I had to configure all of those details outlined at this
link you mentioned: RT::Authen::ExternalAuth::DBI - External database source for RT authentication - metacpan.org
since I’m only going to be using the “My_SSO_Cookie” ExternalAuth and not
really directly using the “My_MySQL” external auth other than as a result
of
“My_SSO_Cookie” depending on it in at least some capacity it seems. Hope
that makes sense…I’m just trying to minimize my config to only use the
least possible to make “My_SSO_Cookie” work.

From looking at the configs, I believe something other than RT is
giving the browser a cookie and placing that cookie value into a
database.

RT::Authen::ExternalAuth::DBI::Cookie is just the glue between RT and
that authenticating service.

Yes, I did understand that much, but as far as I’m aware unless something
(Maybe “My_MySQL”??) writes these to a (RT’s?) database I don’t see how I
would be populating the c_table, c_field, c_match_key otherwise? My
external auth service is a SSO solution that sets a cookie in my browser
and
I can view that cookie using Chromes Cookie Inspector extension but there
is
no “database-like” structure to a/the cookie so I’m a bit confused by the
parameters sounding like they should be from a database?

Basically, I’m trying to discover the simplest way possible how do I get
the
cookie from the browser passed on to RT where RT says

“I’ve checked the SSO cookie for User1 and User1 is already authenticated”
“I’ve now checked the RT database and User1 exists in the RT database”
“Now that I Know User1 exists I’m presenting his specific User1 RT session
and dashboard etc. etc.”
“User1 is now fully automatically logged into RT based on his SSO
authentication service cookie”

Any clarity surrounding how this is done or if anyone does this currently
and could shed some light on how to do this such as a working example
config
or just with more detail than the docs provide would be extremely helpful
and I would be even more grateful!

Thanks again-


View this message in context:
http://requesttracker.8502.n7.nabble.com/Cookie-based-auth-works-but-takes-me-to-login-page-tp56394p61340.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.

RT 4.4 and RTIR Training Sessions (
http://bestpractical.com/services/training.html)

  • Hamburg Germany March 14 & 15, 2016