Infos:

• Used Zammad version: 5.2.3
• Used Zammad installation type: (source)
• Operating system: ubuntu 20.04 LTS
• Browser + version: Chrome, newest version

Expected behavior:

• I have a working saml configuration with authentik as IdP and Zammad
• Login via SAML from zammad-login page is working fine. User creation is fine. Attribute mapping is fine.

But what I want to achieve is the following. (2 things):

1) URL to login directly

my IdP “Authentik” provides a login page with links to the various solutions like this

image1131×1177 91 KB

Right now if I click on this button it redirects me to the login page of zammad and then I have to click “login with sso”. So I want to jump right into zammad. I tried https://zammad-url/auth/saml but zammad tells me that this does not exist.
The question is: is an url available to jump right into the saml authentication?

2) Assign Permission with attribute mapping

if I create a new user at the IdP and this users logs into zammad, this person has absolutely no rights. A sysadmin has to grant rights to this person before he can start working.

Is there the possibility to grant the permission “agent”? Every user that logs in via SAML should be at least an agent. Is this possible?

Thanks and best regards
Christoph

Hi, could you share it with me? If I try to log in with SAML I get " 422: The change you wanted was rejected."

Of course. Here is my configuration:

• auth.seatable.io is my IdP
• support.seatable.io is my Zammad-System

Configuration in Authentik

In Authentik I created a SAML Provider:

• ACS URL: https://support.seatable.io/auth/saml/callback
• Issuer: https://support.seatable.io/auth/saml/metadata
• Service Provider Binding: Post
• Audience: https://support.seatable.io/auth/saml/metadata
• (Advanced Settings) Signing Certificate: select one
• (Advanced Settings) Verification Certificate: empty
• (Advanced Settings) Property mappings: I added two custom mappings: “email” and “name”
• (Advanced Settings) NameID Property Mapping: Zammad
  – email and name are defined in “Customisation → Property Mappings → SAML Property Mapping”

These custom mappings are necessary because Zammad expects the values name and email as described here: SAML — Zammad Admin Documentation documentation.

Configuration in Zammad is simple:

• IDP SSO Ziel-URL: https://auth.seatable.io/application/saml/ticketsystem-seatable/sso/binding/init/
• IDP-Zertifikat: ----BEGIN CERTIFICATE---- …
  Finterprint: empty
  NAME IDENTIFIER FORMAT: empty
  Callback URL: https://support.seatable.io/auth/saml/callback

URL to start SSO from authentik

as target url inside “authentik-application” I don’t use https://support.seatable.io. Otherwise the users have to click again on the button “Login with SAML”. To jump right into SSO, just use as target URL authentik url.

I hope this helps.
Christoph

Thanks for your help now the login works<3

Can you tell me what was wrong? I assume you missed the custom properties, right?

Yes and I have removed the Fingerprint from the Zamad Configuration
Didn’t think I needed the rewrite, because the variables have the same name.

I accessed the Ziel-URL via IP address but it displayed like this:

image1060×684 80.1 KB

If I know correctly, SSO only works with a valid SSL certificate?

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.