description: > Learn how to implement authentication for agents and customer users in the OTOBO ticketing system using OpenID Connect (OIDC).
Integrate OpenID Connect in OTOBO (Agents and Customers)
With OpenID Connect (OIDC), both agents and customer users can be conveniently and securely authenticated in the OTOBO ticketing system. User management is handled centrally via an external Identity Provider (IdP) such as Azure AD or Keycloak.
Prerequisites
- OTOBO 11 or higher
- OpenID Connect compatible Identity Provider (Azure AD, Keycloak, Auth0 etc.)
- Access to the
Kernel/Config.pmfile
Configure Agent Login with OpenID Connect
The integration for agents is done in Kernel/Config.pm.
Example Configuration
perl
$Self->{AuthModule} = 'Kernel::System::Auth::OpenIDConnect';
$Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
ClientID => 'YOUR-AGENT-CLIENT-ID',
ClientSecret => 'YOUR-AGENT-CLIENT-SECRET',
RedirectURI => 'https://your-domain.de/otobo/index.pl?Action=Login',
};
$Self->{'AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
OpenIDConfiguration => 'https://your-provider.de/.well-known/openid-configuration',
TTL => 1800,
};
$Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = ['code'];
$Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [qw/profile email/];
$Self->{'AuthModule::OpenIDConnect::UID'} = 'email';
$Self->{'AuthModule::OpenIDConnect::UserMap'} = {
email => 'UserEmail',
given_name => 'UserFirstname',
family_name => 'UserLastname',
};
# Optional mapping of groups/roles
$Self->{'AuthModule::OpenIDConnect::RoleMap'} = {
groups => {
admins => 'admin',
support => 'support',
},
};
# Debugging (temporary)
$Self->{'AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;Configure Customer User Login with OpenID Connect
Customer users can also be authenticated via OpenID Connect.
Example Configuration for Customer Users
perl
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::OpenIDConnect';
$Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
ClientID => 'YOUR-CUSTOMER-CLIENT-ID',
ClientSecret => 'YOUR-CUSTOMER-CLIENT-SECRET',
RedirectURI => 'https://your-domain.de/otobo/customer.pl?Action=Login',
};
$Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
OpenIDConfiguration => 'https://your-provider.de/.well-known/openid-configuration',
TTL => 1800,
};
$Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = ['code'];
$Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [qw/profile email/];
$Self->{'Customer::AuthModule::OpenIDConnect::UID'} = 'email';
$Self->{'Customer::AuthModule::OpenIDConnect::UserMap'} = {
email => 'UserEmail',
given_name => 'UserFirstname',
family_name => 'UserLastname',
};
# Automatic customer user creation
$Self->{'Customer::AuthModule::OpenIDConnect::AutoCreateUser'} = 1;
# Optional debugging
$Self->{'Customer::AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;Configure Azure AD Optimally (Example)
Register a new app in Azure Active Directory
Add permissions for "openid", "profile", and "email"
Set Redirect URLs:
- Agents:
https://your-domain.de/otobo/index.pl?Action=Login - Customers:
https://your-domain.de/otobo/customer.pl?Action=Login
- Agents:
Configure claims (
given_name,family_name) under "Token Configuration"
Test Login
After configuration and restarting the web server, agents and customer users can be conveniently authenticated via your external IdP. New users will be automatically created in OTOBO if configured.
Benefits of OIDC Integration in OTOBO
- Centralized and secure authentication
- Unified identity management
- Automatic user creation
- Reduced administrative effort