RT and SSO with SAML

Hi,

The goal here is to have SSO on RT between a local user directory (AD) and
an RT instance installed in the amazon cloud.

I’ve setup mod_mellon ( https://code.google.com/p/modmellon/ ) with RT as a
relying party on AWS and it works well, I’m able to log in with SSO (IdP
used on premise is ADFS).

I just had to configure RT with:
Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto , 1);

so it uses the REMOTE_USER variable to login.

I have three problems now:

  • populating users info:
    I think I can get some environment variables out of the SAML token with
    mod_mellon configuration like this:

MellonSetEnv “e-mail” “mail”

But then I don’t know how to populate this into RT.

  • logout waits 1 second (default), and go back to login page, so I’m
    authenticated again. I think I need to change the logout link in the code?

  • SSO is always used and I’d like a way to do a local login (with root for
    example which is not in our user directory). I’m not sure how to do this
    yet.

Has anyone played with this and went further than I did?

Thanks,
L.B.

Hi,

The goal here is to have SSO on RT between a local user directory (AD) and
an RT instance installed in the amazon cloud.

I’ve setup mod_mellon ( https://code.google.com/p/modmellon/ ) with RT as
a relying party on AWS and it works well, I’m able to log in with SSO (IdP
used on premise is ADFS).

I just had to configure RT with:
Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto , 1);

so it uses the REMOTE_USER variable to login.

I have three problems now:

  • populating users info:
    I think I can get some environment variables out of the SAML token with
    mod_mellon configuration like this:

MellonSetEnv “e-mail” “mail”

But then I don’t know how to populate this into RT.

Solution:

  1. With code. Grep for REMOTE_USER in RT source code and you’ll find places
    where you can inject code to extract information mellon puts into ENV and
    put it into RT’s tables. As far I recall remote user variable handled in
    one or two places.

  2. No coding - use ExternalAuth module to extract info. It can work this
    way - info extraction only mode without auth. Info is updated on login into
    UI.

  3. No coding - use LDAPImport to bring in users’ data. Info is updated as
    often as you run the script.

  • logout waits 1 second (default), and go back to login page, so I’m
    authenticated again. I think I need to change the logout link in the code?

Yes. Very specific to setup, so there is no direct solution that works for
everybody.

  • SSO is always used and I’d like a way to do a local login (with root for
    example which is not in our user directory). I’m not sure how to do this
    yet.

Host second RT as a virtual host on different URL without SSO. Only people
with passwords in RT’s database would be able to use this interface.

Has anyone played with this and went further than I did?

Thanks,

L.B.


RT Training in Seattle, June 19-20: http://bestpractical.com/training

Best regards, Ruslan.

- logout waits 1 second (default), and go back to login page, so I'm
authenticated again. I think I need to change the logout link in the
code?

Yes. Very specific to setup, so there is no direct solution that works
for everybody.

There’s a “Default” callback in NoAuth/Logout.html which you can use to
modify the URL redirected to. This lets you have RT redirect to the SSO
endpoint’s logout URL.

- SSO is always used and I'd like a way to do a local login (with
root for example which is not in our user directory). I'm not sure
how to do this yet.

Host second RT as a virtual host on different URL without SSO. Only
people with passwords in RT’s database would be able to use this interface.

Alternatively you can tell Apache to “Satisfy any” and allow some local
users depending on their IP address. You may or may not be able to
configure mod_mellon to allow optional SSO auth.