Keycloak OpenID Connect Support

dinesh121991 · March 18, 2020, 11:55am

Hi,
We are using “Zammad version 3.2.x” and there is a OAuth2 and SAML for third party authentication. Is it possible to connect with Keycloak OpenID with OAuth2? If there is any documentation to connect with Keycloak, Could anyone share it?

I followed the following link, and I could not find the files they mentioned to change for enabling OpenID connect.

$ sudo ls -al /opt/zammad/vendor/lib/oauth2_database.rb
ls: cannot access ‘/opt/zammad/vendor/lib/oauth2_database.rb’: No such file or directory
$ sudo ls /opt/zammad/vendor
assets bundle heroku pkgr plugins ruby-2.5.5

MrGeneration · March 23, 2020, 2:15pm

umm…
https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html

mattronix · April 10, 2020, 11:19am

Thanks thats for SAML @ MRGeneration, @dinesh121991 does your SSO provider have SAML support you would get much better stability if you can use it?

We switched from OIDC to SAML for this one.

dinesh121991 · June 26, 2020, 11:26am

Thanks for your answers. We have our on premise Keycloak with the OpenID. How compatible it is to enable “Authentication via Generic OAuth2” with Keycloak OpenID for enabling SSO?

I tried it, and it is successfully enabling “OAuth2” button in the login page, but login redirection is failed with “Invalid parameter: redirect_uri”. Anyone had an experience to enable Keycloak OpenID with Zammad “Generic OAuth2”.

dinesh121991 · September 7, 2020, 5:41pm

Hi All,
I faced the following issues with the Zammad Keycloak OAuth2 and SAML2. Could you provide a suggestion for enabling SSO with it?

Zammad version 3.2.x
Keycloak version 7.0.0

OAuth2:
I provided [auth/oauth2/callback] (https://zammad_host/auth/oauth2/callback) as a redirect URI in Keycloak. It allows me to go to Keycloak login page, but it throws " 422: The change you wanted was rejected. Message from oauth2: invalid_credentials" after I login successfully in Keycloak. The login session is successfully created in Keycloak, but it does not use by Zammad to redirect correctly.

SAML2:
I get an error “Unknown login requester” when I tried SAML by following https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html.

Do you have any idea, and how to debug and fix this issue? I am interested to fix any issues at the source code level to enable Zammad OAuth2 or SAML related one, so pls share the developer level details.

Thanks
Dinesh

MrGeneration · September 18, 2020, 1:54pm

Please asap upgrade your Zammad installation. It’s prune to security issues.
Also, the generic oAuth authentication (incoming) should be seen as broken and will be patched out of Zammad in the future.

In order to help you, please provide the output of your logfile (production log) of the moment the authentication process happens. Other wise it will be impossible to help you.

While you’re at it. Please also provide your Zammad relevant idP configuration and the configuration within your Zammad.

Please don’t forget to mask sensitive information. If you’re doing that, please ensure that different e.g. IPs or mail addresses don’t get mixed up with the same “redaction content” because other wise we won’t be able to see differences.