Hello. Can anybody provide walkthrough how to setup ADFS (Server 2019) for Zammad authentication?
I did saved content “https://zammadFQDN/auth/saml/metadata” to file, and created Relying Party Trust based on this file, but looks this not enough.
F1, please.
So, here is my hands on experience for ADFS (Server 2019):
With already working ADFS you need to:
Rules 1,2,4,5 - are “Send LDAP Attributes as Claim”
Rule 3 - “Transform an Incoming Claim”
Rule 3 - see picture
P.S. Please do something with button name. SAML - is not an user-friendly name for login button. Also, mouse pointer does not react on button.
thanks for your information on ADFS and SAML.
I’ve tried to do that with our already working ADFS (Windows Server 2012R2).
After following your instructions we get the following error message after pressing the SAML button:
422: The change you wanted was rejected. Message from saml: invalid_ticket
(on this URL https://zammad.centre.caritas.de/auth/failure?message=invalid_ticket&origin=https%3A%2F%2Fzammad.centre.caritas.de%2F&strategy=saml)
Do you mind posting the details of the 5 claim rules?
@voljka Thank you for the quick response.
I still get the same error. Any idea what could be the problem?
Our SAML Settings in Zammad:
I did not fill cert fingerprint and name identifier format. try to remove data from these fields.
deleted both fields in the SAML Setting, but still the same error message
may be you already has user in zammad DB, when you are logging into zammad via SAML?
try to login with unique user, which does not present in zammad.
yes, we’ve all users synced from LDAP.
Tried with a new user that is not synced, but it didn’t work either.
what is written in production.log at login time?
mine looks like:
Blockquote
I, [2020-01-10T13:29:08.809625 #799-46998050520180] INFO – : Started POST “/auth/saml” for 10.10.3.10 at 2020-01-10 13:29:08 +0200
I, [2020-01-10T13:29:09.023828 #799-46998050520780] INFO – : Started POST “/auth/saml/callback” for 10.10.3.10 at 2020-01-10 13:29:09 +0200
I, [2020-01-10T13:29:09.078050 #799-46998050520780] INFO – : Processing by SessionsController#create_omniauth as HTML
I, [2020-01-10T13:29:09.078227 #799-46998050520780] INFO – : Parameters: {“SAMLResponse”=>“PHNhbWxw <…DELETED MANY LETTERS.> c2U+”, “provider”=>“saml”}
I, [2020-01-10T13:29:09.128924 #799-46998050520780] INFO – : Redirected to https://bilbo7.belam.lv/
Blockquote
I, [2020-01-10T11:38:23.930520 #13422-47400249167480] INFO – : Started POST “/auth/saml” for 172.16.8.249 at 2020-01-10 11:38:23 +0000
I, [2020-01-10T11:38:24.157966 #13422-69995655716440] INFO – : Started POST “/auth/saml/callback” for 172.16.8.249 at 2020-01-10 11:38:24 +0000
I, [2020-01-10T11:38:24.185687 #13422-47400270222400] INFO – : Started GET “/auth/failure?message=invalid_ticket&origin=https%3A%2F%2Fzammad.centre.caritas.de%2F&strategy=saml” for 172.16.8.249 at 2020-01-10 11:38:24 +0000
I, [2020-01-10T11:38:24.189188 #13422-47400270222400] INFO – : Processing by SessionsController#failure_omniauth as HTML
I, [2020-01-10T11:38:24.189248 #13422-47400270222400] INFO – : Parameters: {“message”=>“invalid_ticket”, “origin”=>“https://zammad.centre.caritas.de/”, “strategy”=>“saml”}
E, [2020-01-10T11:38:24.189506 #13422-47400270222400] ERROR – : Message from saml: invalid_ticket (Exceptions::UnprocessableEntity)
/opt/zammad/app/controllers/sessions_controller.rb:95:in `failure_omniauth’
ok. no idea what going here, but… did you use correct certificate?
When I use Monitoring in ADFS i don’t have to set a certificate.
On the Zammad config under IDP CERTIFICATE we use the Token-signing certificate from the ADFS.
then look for SAML events on ADFS server
Strangely enough, it works today, it didn’t work on Friday.
Is it possible that it has something to do with the certificate management cycle on the ADFS?
Anyway, thank you very much for your support.
This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.
