SAML and LDAP is not working in one setup which is exactly the same a working setup

Infos:

  • Used Zammad version:
  • Used Zammad installation type: package
  • Operating system: ubuntu 20.04
  • Browser + version: chrome 99

Expected behavior:

I can login using SAML and it associates the account with the correct LDAP-Account (according to the matching email-address).

Actual behavior:

When I login with the SAML-Button it will either associate the account wiht a random account or create a new user with a "1"appendet to his email.

Steps to reproduce the behavior:

Setup LDAP and SAML.
use “NameID Property Mapping” “E-Mail”.

The weird thing about this is, that I checked all the settings I think are relevant on one system and the other… and it only works on one.

the difference is that smh when I look at Profile-Connected Accounts when logged in via SAML I see the “email-address” on the working one, but not on the new non-working setup. there I only see “”.

@letmesetupthis same here!

Check if your identity provider returns the correct SAML format:

<saml:Attribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
           <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Marcel</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
           <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Herrguth</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
           <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe@example.com</saml:AttributeValue>
        </saml:Attribute>

that is the only format that zammad can work with.
You can check Zammads SAML referenz here:
https://support.zammad.com/auth/saml/metadata

Or change “support.zammad.com” with your FQDN.