I just had to configure RT with:
Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto , 1);
so it uses the REMOTE_USER variable to login.
I have three problems now:
populating users info:
I think I can get some environment variables out of the SAML token with
mod_mellon configuration like this:
MellonSetEnv “e-mail” “mail”
But then I don’t know how to populate this into RT.
Solution:
With code. Grep for REMOTE_USER in RT source code and you’ll find places
where you can inject code to extract information mellon puts into ENV and
put it into RT’s tables. As far I recall remote user variable handled in
one or two places.
No coding - use ExternalAuth module to extract info. It can work this
way - info extraction only mode without auth. Info is updated on login into
UI.
No coding - use LDAPImport to bring in users’ data. Info is updated as
often as you run the script.
logout waits 1 second (default), and go back to login page, so I’m
authenticated again. I think I need to change the logout link in the code?
Yes. Very specific to setup, so there is no direct solution that works for
everybody.
SSO is always used and I’d like a way to do a local login (with root for
example which is not in our user directory). I’m not sure how to do this
yet.
Host second RT as a virtual host on different URL without SSO. Only people
with passwords in RT’s database would be able to use this interface.
Has anyone played with this and went further than I did?
- logout waits 1 second (default), and go back to login page, so I'm
authenticated again. I think I need to change the logout link in the
code?
Yes. Very specific to setup, so there is no direct solution that works
for everybody.
There’s a “Default” callback in NoAuth/Logout.html which you can use to
modify the URL redirected to. This lets you have RT redirect to the SSO
endpoint’s logout URL.
- SSO is always used and I'd like a way to do a local login (with
root for example which is not in our user directory). I'm not sure
how to do this yet.
Host second RT as a virtual host on different URL without SSO. Only
people with passwords in RT’s database would be able to use this interface.
Alternatively you can tell Apache to “Satisfy any” and allow some local
users depending on their IP address. You may or may not be able to
configure mod_mellon to allow optional SSO auth.