Infos:
- Used Zammad version: 6.4.1
- Used Zammad installation type: (Package)
- Operating system: Ubuntu
- Browser + version: Firefox Latest
Expected behavior:
I have set up SAML authentication for Zammad in Authentik using Zammad’s metadata. It works fine, except when using the SLO link for session invalidation. Although the user is redirected to the Authentik logout prompt and sees a message indicating they have been logged out from Zammad, the session is not actually terminated.
I believe this is exactly what was reported in the last post:
This can be observed when opening Zammad in a separate tab – the session remains active.
The Zammad log shows that a sign-out process was triggered:
I, [2025-02-17T12:10:30] INFO – : Started DELETE “/api/v1/signout” for 192.168.xx.xx at 2025-02-17 12:10:30 +0100
I, [2025-02-17T12:10:30] INFO – : Processing by SessionsController#destroy as JSON
I, [2025-02-17T12:10:30] INFO – : Completed 200 OK in 8ms (Views: 0.1ms | ActiveRecord: 0.9ms | Allocations: 3254)
However, in reality, the session remains open.
The SLO link from the metadata is as follows. The method (“POST” or “Redirect”) does not make a difference in this case.
https://example.com/application/saml/z-sso/slo/binding/redirect/