Authentik SAML Login doesn't work | Err 422 invalid ticket

vodanet · June 6, 2024, 11:28am

Used Zammad version: 6.3.1
Used Zammad installation type: Helm Chart in RKE2 Cluster
Operating system: Ubuntu22.04
Browser + version: Edge, Firefox, Chromium

Hi,
this is my authenik config:

Provider:
name: zammad
ACS URL: https://zammad./auth/saml/callback
Issuer : https://zammad./auth/saml/metadata
Service Provider Binding : Post
Audience: https://zammad./auth/saml/metadata
Signing Certificate: ------------------
Verification Certificate: ------------------
Property mappings: Zammad SAML-Zuordnung: email and Zammad SAML-Zuordnung: name
NameID Property Mapping: Zammad SAML-Zuordnung: name

Application:
Name: Zammad
Slug: zammad
Provider: zammad
Launch URL: https://zammad.

Property Mappings:
Zammad SAML-Zuordnung: email
SAML Attribute Name: email
Friendly Name:
Expression: return request.user.email

Zammad SAML-Zuordnung: name
SAML Attribute Name: name
Friendly Name:
Expression: return request.user.name

Zammad Settings:
DISPLAY NAME: Authentik
IDP SSO TARGET URL: https://authentik./application/saml/zammad/sso/binding/init
IDP SINGLE LOGOUT TARGET URL: https://zammad.<my.domain>/auth/saml/slo

IDP CERTIFICATE: ----BEGIN CERTIFICATE---- …
IDP CERTIFICATE FINGERPRINT: empty
NAME IDENTIFIER FORMAT: empty
UID ATTRIBUTE NAME:
SSL VERIFICATION: no
SIGNING & ENCRYPTING: no
YOUR CALLBACK URL: (i can’t change that) http://localhost:61520/auth/saml/callback

When I try to log in from Zammad via Authentik, I am redirected to Authentik, log in there and then am redirected back to Zammad.

There I get a window with the message:
422: The change you wanted was rejected.
Message from saml: invalid_ticket

Do I have an error in my config?
Thank you very much in advance for the help!!
Daniel

Gladio273 · June 26, 2024, 7:40pm

How you did create your certificates? (IDP-Cert - where I do get this?)
Greetings

Gladio273 · June 27, 2024, 6:06pm

Ok I found something:
First: In your provider example - you didnt configure any zert

In zammand you did configure an cert in one direction.

May be you should sing in both directions.

vodanet · July 1, 2024, 9:35am

Hello. Thank you for your answer!
I use the authentik self-signed certificate

As you wrote correctly, I did not specify this in the provider. Now I have adapted it and the content in Zammad.
But nothing has changed in the error message.

At what point can I:
"In this case you did configure a cert in one direction.

May be you should sing in both directions." adjust this?