SAML Keycloak mail field not filled

Infos:

  • Used Zammad version: 4.0.x
  • Used Zammad installation type: (source, package, docker-compose, …) package
  • Operating system: Debian 10
  • Browser + version: Firefox 89.0b15 (64-Bit)

I connected my Keycloak instance with the Zammad instance over SAML.
I can log in and the account is linked with the saml user but the EMail Field is not filled in the Admin Interface.

I hope someone can help me there.

I see the same behaviour here, the account is created just as it should, but the email address is empty.
On Zammad side, I have setup the name identifier format as mentioned in the documentation to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

On Keycloak side, I had to change the mapping for the email stuff to use the username field and add a second mapping for the SAML emailAddress attribute

So on keycloak:
Name: first_name
Mapper type: User property
Property: firstName
SAML Attribute Name: first_name

Name: last_name
Mapper type: User property
Property: lastName
SAML Attribute Name: last_name

Name: name
Mapper type: User property
Property: fullName
SAML Attribute Name: name

Name: EmailAddress-Email
Mapper type: User property
Property: username
SAML Attribute Name: emailAddress

Name: email
Mapper type: User property
Property: username
SAML Attribute Name: email

This way the integration now works just fine and it also mas existing zammad account based on the email address

Are you sure that these both are correct?

For me it returns that not the mail get set as an email, it tries to set the username as a email.

It depends on your keycloak settings.
In our setup username=email address, so yes, for us it’s correct.

If you wish to use the email field from keycloak, then I assume that you use the other field as in the zammad docu.

But what’s important, is to have both mappings, SAML attribute name: email AND emailAddress

i changed both entries to Property = emailAddress
But still the E-Mail Address in Zammad is not set.
I have these Mappers as you described above.
grafik

On my end we have username as username and email as email

Could you try with email as the property and not emailAddress?
I think that the documentation might be wrong in that place for Keycloak

Thanks that works.
Do you may know if it’s possible to assign a SAML user to a organisation automaticaly?

If there’s something wrong with that documentation part a pull request would be very welcome to improve those things!

You’re looking for domain assignment - however, this only triggers once during account creation and not for existing ones.

Na I was looking to do this over a SAML Mapping attribute.
But I think that’s not that easy or do you know something how to go there?

Zammad does not allow attribute mapping apart from firstname, lastname, login and email.
Even if it would, it wouldn’t help you in organization context because that’s a field you can’t map even with ldap.