Multiple Identity Provider with SSO and SCIM provisioning


  • Used Zammad version: 6.2.0
  • Used Zammad installation type: (source, package, docker-compose, …) docker-compose
  • Operating system: Debian 11
  • Browser + version: Firefox 124.0.2

Expected behavior:

Multiple Identity Provider with SSO and SCIM provisioning configured with Entra Apps in different Microsoft Tenants. So we can manage Zammad user (Account details and roles) in Entra ID.

Actual behavior:

We can configure multiple LDAP Connections in combination with Microsoft Entra Domain Services managed domain in every single Tenant. But we have to pay extra for this Microsoft Service only to use LDAP and the initial configuration effort is enormous.
Alternativ we could deploy an Entra App in a single Tenant (Type > Accounts in any organizational directory (Any Azure AD directory - Multitenant) ) but we have to manually manage users in zammad (on- and offboarding) and everyone with a Microsoft Account, could login at our Zammad Instance because we could not allow only specific Tenants. There is no option in Zammad for this feature. See Supported identity and account types for single- and multi-tenant apps | Microsoft Learn

Steps to reproduce the behavior:

Deploy a Entra App (Microsoft — Zammad Admin Documentation documentation) at Tenant A and Login with a Microsoft Account from Tenant B. Zammad create automatically an account for the new user and we have to manage the account manually.

It’s not possible. The current suggestion is to use LDAP syncs for the user mappings.
As that’s not an option for you, check the feature request list and add one if it’s not there already: