SAML best practice

Hello there,

It’s not really a feature request, more a question on the best practice when using Zammad and Keycloak/SAML.

I’m managed to make it work (there’s a small typo in the doc, I can contribute if you like), that’s great!

However, right now, my support team is currently login via LDAP. Because I don’t want to mix internal users in the same realm than my customers.

Ideally (if it makes sense), having multiple realms configurable in Zammad might do the trick. But before asking that, I wonder if it’s the right way to do it.

Maybe having my customer realm with my internal LDAP as federation + “internal” customer database in parallel make sense? (I don’t like to mix them, but anyway if it’s the right way).

So what do you think would be the best approach on that?

Also, last question: is it possible to “send” our customers directly connected to Zammad if they are already logged in Keycloak, without having to click on “SAML” button? (because it might be confusing for them). If no, what’s the best practice in this case? (ideally, I’d like to get transparent login as far as possible)


This is something that I think a lot of people want. Please heart the feature request to bring attention.