Automatic redirect to SAML for authentication

Hi,

Any plan for the possibility to disable login form and automatically redirect to SAML?

I have seen several request for that in the community threads…

Kind regards,
Magnus

3 Likes

There is a workaround: If your IDP supports IDP-initiated authentication, you can simply edit the login page. Note that any updates to Zammad will most likely override this customization.

You need to find out the direct login URL for the SAML app from your IDP. For most IDPs, you can simply go to the app overview and then copy the link of the SAML app.

For example, for Azure AD, the login URL looks like this: https://account.activedirectory.windowsazure.com/applications/signin/{APP ID}?tenantId={TENANT ID}

Now all you need to do is edit the following file: zammad/app/assets/javascripts/app/views/login.jst.eco

Insert the following at the beginning of the file and replace the IDP login URL: <meta http-equiv="refresh" content="0; url={IDP LOGIN URL}" />

After you saved your file, run zammad run rake assets:precompile and restart Zammad. Users that are trying to access the login page will now be redirected to your IDP which will initiate the login.
However, I advise against using this in production systems due to security reasons.

Oh boy that’s hacky.
If you really must, rather check if the session cookie of Zammad is set already and redirect if not.

This works one time during every browser session. If you logged out the redirect won’t happen because the session cookie is still there.

In general I’m no fan of what you want to achieve, but oh well.

I am also interested in a feature like this. Less for an immediate redirect, but more in hiding the local authentication. We have SAML and Google authentication configured and users can use either (and if they are new they are automatically generated), but the first thing they see when they hit the page is a login pane with those buttons below. If we can hide the username/password fields we don’t need a redirect, but a redirect would be pretty good too so they never see the login window.

We are only using SAML for our end users to log in and automatically redirecting would be great. I feel like the SAML button is too small for users to see and many of ours wont know what SAML is. Their experience on our network is that they are automatically logged into everything and it would be great if we could keep this up with the Helpdesk system.

Here for the same. I noticed an issue was (wrongly) opened for this RFE. Also adding this forum post which is relevant.