Microsoft ADFS SAML authentication

Hello. Can anybody provide walkthrough how to setup ADFS (Server 2019) for Zammad authentication?

I did saved content “https://zammadFQDN/auth/saml/metadata” to file, and created Relying Party Trust based on this file, but looks this not enough.
F1, please.

So, here is my hands on experience for ADFS (Server 2019):
With already working ADFS you need to:

  1. Add Relying Party Trust:
  1. Edit Claim Issuance Policy (see picture)

Rules 1,2,4,5 - are “Send LDAP Attributes as Claim”
Rule 3 - “Transform an Incoming Claim”
Rule 3 - see picture

  1. In Zammad turn on SAML:
  1. Any new domain user via SAML became customer in Zammad.
    NOTE: if LDAP and SAML are turned on for same domain, then LDAP sync make SAML user inactive, if SAML user not a member of LDAP sync group.

P.S. Please do something with button name. SAML - is not an user-friendly name for login button. Also, mouse pointer does not react on button.



thanks for your information on ADFS and SAML.
I’ve tried to do that with our already working ADFS (Windows Server 2012R2).
After following your instructions we get the following error message after pressing the SAML button:

422: The change you wanted was rejected. Message from saml: invalid_ticket
(on this URL

Do you mind posting the details of the 5 claim rules?

1 Like



@voljka Thank you for the quick response.
I still get the same error. Any idea what could be the problem?
Our SAML Settings in Zammad:

1 Like

I did not fill cert fingerprint and name identifier format. try to remove data from these fields.

deleted both fields in the SAML Setting, but still the same error message

  1. https between zammad host and ADFS host are working?
  2. time on both hosts are the same?
  3. Trusted Root CA on zammad host has Domain CA installed?
  4. adfs setup are ok?
  1. yes
  2. yes
  3. yes
  4. adfs setup says ok:

may be you already has user in zammad DB, when you are logging into zammad via SAML?
try to login with unique user, which does not present in zammad.

yes, we’ve all users synced from LDAP.
Tried with a new user that is not synced, but it didn’t work either.

what is written in production.log at login time?
mine looks like:

I, [2020-01-10T13:29:08.809625 #799-46998050520180] INFO – : Started POST “/auth/saml” for at 2020-01-10 13:29:08 +0200
I, [2020-01-10T13:29:09.023828 #799-46998050520780] INFO – : Started POST “/auth/saml/callback” for at 2020-01-10 13:29:09 +0200
I, [2020-01-10T13:29:09.078050 #799-46998050520780] INFO – : Processing by SessionsController#create_omniauth as HTML
I, [2020-01-10T13:29:09.078227 #799-46998050520780] INFO – : Parameters: {“SAMLResponse”=>“PHNhbWxw <…DELETED MANY LETTERS.> c2U+”, “provider”=>“saml”}
I, [2020-01-10T13:29:09.128924 #799-46998050520780] INFO – : Redirected to

I, [2020-01-10T11:38:23.930520 #13422-47400249167480] INFO – : Started POST “/auth/saml” for at 2020-01-10 11:38:23 +0000
I, [2020-01-10T11:38:24.157966 #13422-69995655716440] INFO – : Started POST “/auth/saml/callback” for at 2020-01-10 11:38:24 +0000
I, [2020-01-10T11:38:24.185687 #13422-47400270222400] INFO – : Started GET “/auth/failure?message=invalid_ticket&” for at 2020-01-10 11:38:24 +0000
I, [2020-01-10T11:38:24.189188 #13422-47400270222400] INFO – : Processing by SessionsController#failure_omniauth as HTML
I, [2020-01-10T11:38:24.189248 #13422-47400270222400] INFO – : Parameters: {“message”=>“invalid_ticket”, “origin”=>“”, “strategy”=>“saml”}
E, [2020-01-10T11:38:24.189506 #13422-47400270222400] ERROR – : Message from saml: invalid_ticket (Exceptions::UnprocessableEntity)
/opt/zammad/app/controllers/sessions_controller.rb:95:in `failure_omniauth’

ok. no idea what going here, but… did you use correct certificate?

When I use Monitoring in ADFS i don’t have to set a certificate.

On the Zammad config under IDP CERTIFICATE we use the Token-signing certificate from the ADFS.

then look for SAML events on ADFS server

Strangely enough, it works today, it didn’t work on Friday.
Is it possible that it has something to do with the certificate management cycle on the ADFS?
Anyway, thank you very much for your support.

1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.