Associate LDAP and SAML users doesn't work anymore

letmesetupthis · August 9, 2023, 5:59pm

Infos:

Used Zammad version: 6.0.0-1691139038.c2b281b3.focal
Used Zammad installation type: ubuntu repo
Operating system: ubuntu focal
Browser + version: chrome on windows 11

Expected behavior:

all users which exist in LDAP should be automatically associated with SSO users login in via SAML if they have the same email.

Actual behavior:

only users which already logged in using SSO months before get associated witht heir LDAP user when logging in to Zammad using SSO.

Steps to reproduce the behavior:

my LDAP-settings:
(mailprimaryaddress and email is the same value in my LDAP)

givenname	firstname
sn	lastname
mailprimaryaddress	login
telephonenumber	phone
mail	email

my SAML setting:
NAME IDENTIFIZIERER FORMAT
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
UID ATTRIBUT-NAME
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Login using SAML → Results in new user with their email-address and a number like “2” after the email.

letmesetupthis · August 23, 2023, 9:53am

@MrGeneration maybe you can check this?

fliebe92 · August 24, 2023, 5:01am

Hi @letmesetupthis. Not sure if it’s related, but did you check the setting auth_third_party_auto_link_at_inital_login'?

letmesetupthis · August 24, 2023, 5:37am

@fliebe92
hey there
yes, that’s already activated. sadly it still doesn’t work anymore.

fliebe92 · August 24, 2023, 6:39am

I need to see if I can test this somehow. But this will take some time.

letmesetupthis · August 24, 2023, 6:55am

I could give you access to my Setup remotely. If I can share it via E-Mail.

fliebe92 · August 24, 2023, 7:30am

This will not help because I cannot debug there etc.

heydillon · October 17, 2023, 10:18pm

I am experiencing this too -as an aside. A user is imported from LDAP correctly; their login is configured as email. The SAML-provided attribute is also email. The user is imported from LDAP with proper config and that part works. The same user SAML-ed has their email+1 added as a user and is created as a new user.

dominikklein · October 18, 2023, 8:39am

Looks like you are missing the mapping in the IDP of some fields: SAML — Zammad Admin Documentation documentation

Currently, the “email”-Field is needed for the detection of already existing users.

letmesetupthis · October 19, 2023, 4:09pm

I verified my configuration. email is configured in my mappings:
authentik default SAML Mapping: Email

Capital E is correct there. It works like that with other SAML-Apps. And it actually was working roundabout a year ago.

letmesetupthis · January 18, 2024, 1:23pm

zammad is a buggy mess.

MrGeneration · January 18, 2024, 2:24pm

Sorry but nobody is forcing you to use Zammad.
You seem to be constantly frustrated with it.

I’m sorry for that, but your comments are neither helping the situation nor will encourage people to like helping you more.

system · January 12, 2025, 2:24pm

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.