Associate LDAP and SAML users doesn't work anymore

Infos:

  • Used Zammad version: 6.0.0-1691139038.c2b281b3.focal
  • Used Zammad installation type: ubuntu repo
  • Operating system: ubuntu focal
  • Browser + version: chrome on windows 11

Expected behavior:

all users which exist in LDAP should be automatically associated with SSO users login in via SAML if they have the same email.

Actual behavior:

only users which already logged in using SSO months before get associated witht heir LDAP user when logging in to Zammad using SSO.

Steps to reproduce the behavior:

my LDAP-settings:
(mailprimaryaddress and email is the same value in my LDAP)

givenname firstname
sn lastname
mailprimaryaddress login
telephonenumber phone
mail email

my SAML setting:
NAME IDENTIFIZIERER FORMAT
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
UID ATTRIBUT-NAME
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Login using SAML → Results in new user with their email-address and a number like “2” after the email.

1 Like

@MrGeneration maybe you can check this?

Hi @letmesetupthis. Not sure if it’s related, but did you check the setting auth_third_party_auto_link_at_inital_login'?

@fliebe92
hey there
yes, that’s already activated. sadly it still doesn’t work anymore.

I need to see if I can test this somehow. But this will take some time.

I could give you access to my Setup remotely. If I can share it via E-Mail.

This will not help because I cannot debug there etc. :slight_smile:

I am experiencing this too -as an aside. A user is imported from LDAP correctly; their login is configured as email. The SAML-provided attribute is also email. The user is imported from LDAP with proper config and that part works. The same user SAML-ed has their email+1 added as a user and is created as a new user.

Looks like you are missing the mapping in the IDP of some fields: SAML — Zammad Admin Documentation documentation

Currently, the “email”-Field is needed for the detection of already existing users.

I verified my configuration. email is configured in my mappings:
authentik default SAML Mapping: Email

Capital E is correct there. It works like that with other SAML-Apps. And it actually was working roundabout a year ago.

zammad is a buggy mess.

Sorry but nobody is forcing you to use Zammad.
You seem to be constantly frustrated with it.

I’m sorry for that, but your comments are neither helping the situation nor will encourage people to like helping you more.