How to disable sso? (can not login)

I play to much in my zammad settings. I switch on SSO, without preparing the other requirements, written down in the manual.
After logout, i can’t login anymore. Login-error: "CSRF token verification failed! "
Only one still logged in Admin switched the SSO back off for me. But I still can’t login and still got the error “CSRF token verification failed!”. Now no one, can login to zammad anymore. Every one gets the same error: CSRF token verification failed!

Does anyone know how to fix my stupidity?

  • Used Zammad version: v.5.3.1
  • Used Zammad installation type: package
  • Operating system: Debian 11
  • Browser + version: Edge 108.0.1462.54 + Firefox 108.0.1

Expected behavior:

  • i would like to use the authentication over LDAP, (as it was before i enabled SSO-Button)

Actual behavior:

  • even with disabled SSO-Button" the loginscreen displays "CSRF token verification failed! "

Steps to reproduce the behavior:

  • all other Agents can not login and got the same error. Error is reproduceable with trying to log in.

Do you have password login turned off? If not, do you have a locally created admin fallback account?

If yes, then you may need to modify the (specifically the logic around turning off login when third party auth is enabled) and precompile to force it to show you the standard login window again.

Hi astrugatch,
before i turnd on SSO-Button, we used LDAP-Authentification with username+password.

i testet the local Admin-account, but i got the same error while login. I can’t login with the local admin.

I think. my only access to zammad is cli. I don’t see any manual how to configure SSO over cli. If it exist, i would try to do in reverse.

CSRF token errors have nothing to do with SSO.
This most likely is a faulty vHost configuration (e.g. you telling Zammad you’re providing e.g. http but Zammad expects https).

Ensure your vHost file is correct and the http protocol is configured correctly in Zammad.
See the CSRF tip in the documentation:

thank you for answering.
In the meantime, i did the hard way and restored the server form a backup. While i am doing the same configuration, but without switching SSO on, i got the same error. Now we are on your point. It wasn’t the SSO-config. Every time when i am switching on this button i get this error:

I think it’s for building links in the mail-notfication, when you want to have “https://”-links.
At the moment we only get “http://”-links. The redirect in the apache-config will lead the browser to the “https://”-Website.

I don’t know to fix this error.
i checked my config with this manual:
Zammad throws error “CSRF token verification failed!” on Apache 2.4.41 Ubuntu 20.4 (

But i think i have to open up a new thread, because it’s no an SSO-subject.

Setting the correct HTTP type is mandatory for Zammad to behave correctly.
That means: If you want to connect via HTTPs, you’ll have to set this to HTTPs. A mixture is technically not supported. If your webserver doesn’t ship the http type correctly for whatever reason, you can also “hardcode” it into your vhost file (https if you’re using https).

Personally I would suggest nobody to use http any more. I mean it’s not hard to get even a public valid ssl certificate nowadays.

For above mentioned vhost part the documentation should help you. It is explicitely mentioned on the page.