Integrating OpenID Connect in OTOBO (Agents and Customers)

Integrating OpenID Connect in OTOBO (Agents and Customers)

With OpenID Connect (OIDC), both agents and customer users can be authenticated conveniently and securely in the OTOBO ticket system. User management is handled centrally via an external Identity Provider (IdP) such as Azure AD or Keycloak.

Prerequisites

• OTOBO 11 or higher
• OpenID Connect-compatible Identity Provider (Azure AD, Keycloak, Auth0, etc.)
• Access to the Kernel/Config.pm file

---

Configuring Agent Login with OpenID Connect

The integration for agents is performed in the Kernel/Config.pm.

Example Configuration

$Self->{AuthModule} = 'Kernel::System::Auth::OpenIDConnect';

$Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
    ClientID     => 'YOUR-AGENT-CLIENT-ID',
    ClientSecret => 'YOUR-AGENT-CLIENT-SECRET',
    RedirectURI  => 'https://your-domain.de/otobo/index.pl?Action=Login',
};

$Self->{'AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
    OpenIDConfiguration => 'https://your-provider.de/.well-known/openid-configuration',
    TTL                 => 1800,
};

$Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType}    = ['code'];
$Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [qw/profile email/];

$Self->{'AuthModule::OpenIDConnect::UID'} = 'email';

$Self->{'AuthModule::OpenIDConnect::UserMap'} = {
    email       => 'UserEmail',
    given_name  => 'UserFirstname',
    family_name => 'UserLastname',
};

# Optional mapping of groups/roles
$Self->{'AuthModule::OpenIDConnect::RoleMap'} = {
    groups => {
        admins  => 'admin',
        support => 'support',
    },
};

# Debugging (temporary)
$Self->{'AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;

---

Configuring Customer User Login with OpenID Connect

Customer users can also be authenticated via OpenID Connect.

Example Configuration for Customer Users

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::OpenIDConnect';

$Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
    ClientID     => 'YOUR-CUSTOMER-CLIENT-ID',
    ClientSecret => 'YOUR-CUSTOMER-CLIENT-SECRET',
    RedirectURI  => 'https://your-domain.de/otobo/customer.pl?Action=Login',
};

$Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
    OpenIDConfiguration => 'https://your-provider.de/.well-known/openid-configuration',
    TTL                 => 1800,
};

$Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType}    = ['code'];
$Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [qw/profile email/];

$Self->{'Customer::AuthModule::OpenIDConnect::UID'} = 'email';

$Self->{'Customer::AuthModule::OpenIDConnect::UserMap'} = {
    email       => 'UserEmail',
    given_name  => 'UserFirstname',
    family_name => 'UserLastname',
};

# Automatic customer user creation
$Self->{'Customer::AuthModule::OpenIDConnect::AutoCreateUser'} = 1;

# Optional debugging
$Self->{'Customer::AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;

---

Optimally Configuring Azure AD (Example)

1. Register a new app in Azure Active Directory

2. Add permissions for “openid”, “profile”, and “email”

3. Set Redirect URIs:

   • Agents: https://your-domain.de/otobo/index.pl?Action=Login
   • Customers: https://your-domain.de/otobo/customer.pl?Action=Login

4. Configure claims (given_name, family_name) under “Token Configuration”

---

Testing the Login

After configuration and restarting the web server, agents and customer users can be conveniently authenticated via your external IdP. New users are automatically created in OTOBO, provided this is configured.

---

Advantages of OIDC Integration in OTOBO

• Central and secure authentication
• Unified identity management
• Automatic user creation
• Reduced administrative effort

---

Further Links

• OTOBO Documentation
• Azure AD Documentation
• OpenID Connect Specification