SAML 422: Unprocessable Entity

Infos:

• Used Zammad version: 3.6.0
• Used Zammad installation source: Debian Package
• Operating system: Debian 10
• Browser + version: Chromium / Firefox

Expected behavior:

• Getting redirected to SAML Login Page (Keycloak)

Actual behavior:

• Getting a Page with the Title “422: Unprocessable Entity” after clicking on the SAML Button on the Login Page without getting redirected to the Idp.
  
  

  Bildschirmfoto vom 2021-02-11 11-44-061601×1268 117 KB

This is logged to the production.log when I click the SAML button:

I, [2021-02-11T10:30:22.553049 #28193-47414657253800] INFO – : Started POST “/auth/saml” for -ipremoved- at 2021-02-11 10:30:22 +0000
I, [2021-02-11T10:30:22.560099 #28193-47414657253800] INFO – : (saml) Request phase initiated.
F, [2021-02-11T10:30:22.572916 #28193-47414657253800] FATAL – :
F, [2021-02-11T10:30:22.573089 #28193-47414657253800] FATAL – : ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
F, [2021-02-11T10:30:22.573218 #28193-47414657253800] FATAL – :
F, [2021-02-11T10:30:22.573357 #28193-47414657253800] FATAL – : vendor/bundle/ruby/2.6.0/gems/omniauth-rails_csrf_protection-0.1.2/lib/omniauth/rails_csrf_protection/token_verifier.rb:34:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:209:in request_call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:188:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/etag.rb:27:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/conditional_get.rb:40:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/head.rb:12:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/content_security_policy.rb:18:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in context' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb:670:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:28:in block in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:98:in run_callbacks' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:26:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/debug_exceptions.rb:61:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/show_exceptions.rb:33:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:38:in call_app' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:26:in block in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:71:in block in tagged' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:28:in tagged’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/tagged_logging.rb:71:in tagged' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:26:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/remote_ip.rb:81:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/static.rb:127:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.4/lib/rails/engine.rb:524:in call' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/configuration.rb:227:in call’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:706:in handle_request' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:476:in process_client’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:334:in block in run' [f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in block in spawn_thread’
[f183a632-2725-4ff4-94c6-05fc0401f788] vendor/bundle/ruby/2.6.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context’

Steps to reproduce the behavior:

• Add a SAML Provider at Third-Party Application and try to use it.

having the same issue

Did you guys follow the saml documentation for this process?
https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html

Zammad does require some specialties which may not work out of the box without knowing them.
Above mentioned documentation basically is a one by one PoC together with Keycloak.

I think I have configured everything mentioned in the admin docs.
But as described I never get redirected to the login page of our keycloak server.

I debugged a little bit further. It seems to be a CSFR issue. I do have a separate/publich nginx proxy in front of my zammad-docker stack (which also has an nginx of course). Not sure how to fix the issue with a further nginx in front of it.

I think it has something to do with trusted IPs:made nginx X-Forwarded-Proto scheme & rails trusted proxies configurable by monotek · Pull Request #166 · zammad/zammad-docker-compose · GitHub
but not sure how to integrate my public Proxy.
btw. all Logins come from that proxy instead of showing the client ips

We have a haproxy server in front of the nginx/zammad service but we have configured the nginx, that it uses the real ip forwarded by our haproxy. For that I have added

set_real_ip_from X.X.X.X;
real_ip_header X-Forwarded-For;

to the nginx.conf. Based on our logs, the zammad service gets the real ip of the client/browser.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.