Integrating OpenID Connect in OTOBO (Agents and Customers)
With OpenID Connect (OIDC), both agents and customer users can be authenticated conveniently and securely in the OTOBO ticket system. User management is handled centrally via an external Identity Provider (IdP) such as Azure AD or Keycloak.
Prerequisites
- OTOBO 11 or higher
- OpenID Connect-compatible Identity Provider (Azure AD, Keycloak, Auth0, etc.)
- Access to the
Kernel/Config.pmfile
Configuring Agent Login with OpenID Connect
The integration for agents is configured in Kernel/Config.pm.
Example Configuration
perl
$Self->{AuthModule} = 'Kernel::System::Auth::OpenIDConnect';
$Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
ClientID => 'YOUR-AGENT-CLIENT-ID',
ClientSecret => 'YOUR-AGENT-CLIENT-SECRET',
RedirectURI => 'https://your-domain.com/otobo/index.pl?Action=Login',
};
$Self->{'AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
OpenIDConfiguration => 'https://your-provider.com/.well-known/openid-configuration',
TTL => 1800,
};
$Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = ['code'];
$Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [qw/profile email/];
$Self->{'AuthModule::OpenIDConnect::UID'} = 'email';
$Self->{'AuthModule::OpenIDConnect::UserMap'} = {
email => 'UserEmail',
given_name => 'UserFirstname',
family_name => 'UserLastname',
};
# Optional mapping of groups/roles
$Self->{'AuthModule::OpenIDConnect::RoleMap'} = {
groups => {
admins => 'admin',
support => 'support',
},
};
# Debugging (temporary)
$Self->{'AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;Configuring Customer User Login with OpenID Connect
Customer users can also be authenticated via OpenID Connect.
Example Configuration for Customer Users
perl
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::OpenIDConnect';
$Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
ClientID => 'YOUR-CUSTOMER-CLIENT-ID',
ClientSecret => 'YOUR-CUSTOMER-CLIENT-SECRET',
RedirectURI => 'https://your-domain.com/otobo/customer.pl?Action=Login',
};
$Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
OpenIDConfiguration => 'https://your-provider.com/.well-known/openid-configuration',
TTL => 1800,
};
$Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = ['code'];
$Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [qw/profile email/];
$Self->{'Customer::AuthModule::OpenIDConnect::UID'} = 'email';
$Self->{'Customer::AuthModule::OpenIDConnect::UserMap'} = {
email => 'UserEmail',
given_name => 'UserFirstname',
family_name => 'UserLastname',
};
# Automatic customer user creation
$Self->{'Customer::AuthModule::OpenIDConnect::AutoCreateUser'} = 1;
# Optional debugging
$Self->{'Customer::AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;Optimal Azure AD Configuration (Example)
Register a new app in Azure Active Directory
Add permissions for "openid", "profile", and "email"
Set Redirect URIs:
- Agents:
https://your-domain.com/otobo/index.pl?Action=Login - Customers:
https://your-domain.com/otobo/customer.pl?Action=Login
- Agents:
Configure claims (
given_name,family_name) under "Token Configuration"
Testing the Login
After configuration and restarting the web server, agents and customer users can be conveniently authenticated via your external IdP. New users are automatically created in OTOBO if this is configured.
Advantages of OIDC Integration in OTOBO
- Centralized and secure authentication
- Unified identity management
- Automatic user creation
- Reduced administrative effort