SAML Keycloak mail field not filled

Lapotor · May 26, 2021, 5:12pm

Infos:

Used Zammad version: 4.0.x
Used Zammad installation type: (source, package, docker-compose, …) package
Operating system: Debian 10
Browser + version: Firefox 89.0b15 (64-Bit)

I connected my Keycloak instance with the Zammad instance over SAML.
I can log in and the account is linked with the saml user but the EMail Field is not filled in the Admin Interface.

I hope someone can help me there.

a-schild · May 31, 2021, 3:02pm

I see the same behaviour here, the account is created just as it should, but the email address is empty.
On Zammad side, I have setup the name identifier format as mentioned in the documentation to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

On Keycloak side, I had to change the mapping for the email stuff to use the username field and add a second mapping for the SAML emailAddress attribute

So on keycloak:
Name: first_name
Mapper type: User property
Property: firstName
SAML Attribute Name: first_name

Name: last_name
Mapper type: User property
Property: lastName
SAML Attribute Name: last_name

Name: name
Mapper type: User property
Property: fullName
SAML Attribute Name: name

Name: EmailAddress-Email
Mapper type: User property
Property: username
SAML Attribute Name: emailAddress

Name: email
Mapper type: User property
Property: username
SAML Attribute Name: email

This way the integration now works just fine and it also mas existing zammad account based on the email address

Lapotor · May 31, 2021, 4:08pm

Are you sure that these both are correct?

For me it returns that not the mail get set as an email, it tries to set the username as a email.

a-schild · May 31, 2021, 4:41pm

It depends on your keycloak settings.
In our setup username=email address, so yes, for us it’s correct.

If you wish to use the email field from keycloak, then I assume that you use the other field as in the zammad docu.

But what’s important, is to have both mappings, SAML attribute name: email AND emailAddress

Lapotor · May 31, 2021, 5:20pm

i changed both entries to Property = emailAddress
But still the E-Mail Address in Zammad is not set.
I have these Mappers as you described above.
grafik

On my end we have username as username and email as email

a-schild · May 31, 2021, 6:58pm

Could you try with email as the property and not emailAddress?
I think that the documentation might be wrong in that place for Keycloak

Lapotor · May 31, 2021, 7:52pm

Thanks that works.
Do you may know if it’s possible to assign a SAML user to a organisation automaticaly?

MrGeneration · July 16, 2021, 11:27am

If there’s something wrong with that documentation part a pull request would be very welcome to improve those things!

You’re looking for domain assignment - however, this only triggers once during account creation and not for existing ones.

Lapotor · July 23, 2021, 9:55am

Na I was looking to do this over a SAML Mapping attribute.
But I think that’s not that easy or do you know something how to go there?

MrGeneration · July 31, 2021, 1:55pm

Zammad does not allow attribute mapping apart from firstname, lastname, login and email.
Even if it would, it wouldn’t help you in organization context because that’s a field you can’t map even with ldap.

system · November 28, 2021, 1:56pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.