SAML Authentication (with Authentik): SAML Login-URL and auto-assign permission


  • Used Zammad version: 5.2.3
  • Used Zammad installation type: (source)
  • Operating system: ubuntu 20.04 LTS
  • Browser + version: Chrome, newest version

Expected behavior:

  • I have a working saml configuration with authentik as IdP and Zammad
  • Login via SAML from zammad-login page is working fine. User creation is fine. Attribute mapping is fine.

But what I want to achieve is the following. (2 things):

1) URL to login directly

my IdP “Authentik” provides a login page with links to the various solutions like this

Right now if I click on this button it redirects me to the login page of zammad and then I have to click “login with sso”. So I want to jump right into zammad. I tried https://zammad-url/auth/saml but zammad tells me that this does not exist.
The question is: is an url available to jump right into the saml authentication?

2) Assign Permission with attribute mapping

if I create a new user at the IdP and this users logs into zammad, this person has absolutely no rights. A sysadmin has to grant rights to this person before he can start working.

Is there the possibility to grant the permission “agent”? Every user that logs in via SAML should be at least an agent. Is this possible?

Thanks and best regards

1 Like

Hi, could you share it with me? If I try to log in with SAML I get " 422: The change you wanted was rejected."

Of course. Here is my configuration:

Configuration in Authentik

In Authentik I created a SAML Provider:




These custom mappings are necessary because Zammad expects the values name and email as described here: SAML — Zammad documentation.

Configuration in Zammad is simple:

URL to start SSO from authentik

as target url inside “authentik-application” I don’t use Otherwise the users have to click again on the button “Login with SAML”. To jump right into SSO, just use as target URL authentik url.

I hope this helps.

1 Like

Thanks for your help now the login works<3

Can you tell me what was wrong? I assume you missed the custom properties, right?

Yes and I have removed the Fingerprint from the Zamad Configuration
Didn’t think I needed the rewrite, because the variables have the same name.

I accessed the Ziel-URL via IP address but it displayed like this:

Is there anything wrong with my Ziel-URL?

If I know correctly, SSO only works with a valid SSL certificate?

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.