Automatic redirect to SAML for authentication

Hi,

Any plan for the possibility to disable login form and automatically redirect to SAML?

I have seen several request for that in the community threads…

Kind regards,
Magnus

1 Like

There is a workaround: If your IDP supports IDP-initiated authentication, you can simply edit the login page. Note that any updates to Zammad will most likely override this customization.

You need to find out the direct login URL for the SAML app from your IDP. For most IDPs, you can simply go to the app overview and then copy the link of the SAML app.

For example, for Azure AD, the login URL looks like this: https://account.activedirectory.windowsazure.com/applications/signin/{APP ID}?tenantId={TENANT ID}

Now all you need to do is edit the following file: zammad/app/assets/javascripts/app/views/login.jst.eco

Insert the following at the beginning of the file and replace the IDP login URL: <meta http-equiv="refresh" content="0; url={IDP LOGIN URL}" />

After you saved your file, run zammad run rake assets:precompile and restart Zammad. Users that are trying to access the login page will now be redirected to your IDP which will initiate the login.
However, I advise against using this in production systems due to security reasons.

Oh boy that’s hacky.
If you really must, rather check if the session cookie of Zammad is set already and redirect if not.

This works one time during every browser session. If you logged out the redirect won’t happen because the session cookie is still there.

In general I’m no fan of what you want to achieve, but oh well.

I am also interested in a feature like this. Less for an immediate redirect, but more in hiding the local authentication. We have SAML and Google authentication configured and users can use either (and if they are new they are automatically generated), but the first thing they see when they hit the page is a login pane with those buttons below. If we can hide the username/password fields we don’t need a redirect, but a redirect would be pretty good too so they never see the login window.