Configure SSO via Shibboleth

mvngne · November 28, 2023, 1:51pm

Hey,

does someone already have sso via shibboleth configured (not SAML)? In the features list it says:

Simply configure Shibboleth for the Zammad IdP and initiate the authentication. There is no documentation for this yet, so just let us know if you need help!

So is there maybe someone who can provide some hints how to configure sso via shibboleth?

Best regards
Marvin

Johnnynator · November 30, 2023, 3:27pm

Shibboleth is a SAML IDP. So you can add it as a SAML IDP to Zammad like any other SAML IDP.

Or are asking is how to use the Shibboleth Apache Plugin?

The Kerberos Documnetation shows how to let an Apache module handle the Authentication.
https://docs.zammad.org/en/latest/appendix/single-sign-on.html#g-configure-apache

After you have Zammad working with Apache you can configure libapache2-mod-shib / shibd as usual and require authentication for the /auth/sso Location in the Apache configuration.
You can Enable “Authentication via SSO” in Settings > Security > Third-Party Applications after you have verified that /auth/sso is configured and redirects you to your Shibboleth IDP.

SSO in Zamamd does not provision new users, so you need to configure some way to sync your users into Zammad, LDAP is usually the most sane way.
Also you have to ensure that you configure your Shibboleth SP to put the value into REMOTE_USER as the one that is used in Zammads login field.

system · November 24, 2024, 3:28pm

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.