How to add DUO authentication to OTRS

Dont create your support topics here! No new topics with questions allowed!

Moderator: crythias

Post Reply
Posts: 10121
Joined: 04 May 2010, 18:38
OTRS Version?: 5.0.x
Location: SouthWest Florida, USA

How to add DUO authentication to OTRS

Post by crythias »

Please note, this is cheating (a bit) and may not necessarily look clean, etc.

This is a first draft and may not be what you consider "done enough" but it gets the job done. is important to follow.

add the perl Duo/ folder to Kernel/System as Kernel/System/Duo/ link to
Also edit the package line in to say Kernel::System::Duo::Web

and the js file (min or full, your choice, but update the html file to reflect the one you choose) to /opt/otrs/var/httpd/httpdocs/js/thirdparty/Duo/
link to js

Basically, I made a document in /opt/otrs/var/httpd/htdocs/common/duocheck.html

Code: Select all

<meta http-equiv="X-UA-Compatible" content="IE=edge">
<script src="/otrs-web/js/thirdparty/Duo/Duo-Web-v2.js"></script>
const queryString =;
const urlParams = new URLSearchParams(queryString);
const sig_request = urlParams.get('sig_request')
    'host': 'api-[yournumber here]',
    'sig_request': sig_request,
    'post_action': '/otrs/'
<iframe id="duo_iframe">
  #duo_iframe {
    width: 100%;
    min-width: 304px;
    max-width: 620px;
    height: 330px;
    border: none;

And then added a few things to System/Web/ (You probably should copy the default to Custom/Kernel/System/Web/ and edit that version, then restart apache/your web browser to get it to see it.)

under use Kernel::System::DateTime;

Code: Select all

use Kernel::System::Duo::Web;
under $PostTwoFactorToken stuff where the GetParams are under sub Login

Code: Select all

        my $SigResponse = $ParamObject->GetParam(
                Param => 'sig_response',
                Raw => 1
        ) || '';
then changed

Code: Select all

        # create AuthObject
        my $AuthObject = $Kernel::OM->Get('Kernel::System::Auth');

        # If there's a sig_response posted, we probably should accept that it's verified
        my $User;
        if ($SigResponse ) {
                $User = Kernel::System::Duo::Web::verify_response('your_ikey', 'your_skey', 'your_akey', $SigResponse);
        } else {
        # check submitted data
        $User = $AuthObject->Auth(
            User           => $PostUser,
            Pw             => $PostPw,
            TwoFactorToken => $PostTwoFactorToken,
and then below...

Code: Select all

        if (!$SigResponse) {
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
        my $sig_request = Kernel::System::Duo::Web::sign_request('your_ikey', 'your_skey', 'your_akey', $User);
        print $LayoutObject->Redirect(
                ExtURL => "/otrs-web/common/duocheck.html?sig_request=$sig_request",

        # login is successful
        my %UserData = $UserObject->GetUserData(
If you have questions, comments, or concerns about its use or implementation, it doesn't work, etc., please ask in the Help forum: viewtopic.php?f=62&t=41682
OTRS 5.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

Post Reply