Almost working with SAML via Keycloak 7.0:
got things configured how I think they need to be in Zammad, using a working Nextcloud <-> Keycloak SAML integration for reference of the various SAML config items.
In Zammad I enabled the auto-mapping feature for third party integration. I also manually added a Zammad user with the same username/email address that I have in Keycloak already to ensure the account is mapped correctly.
Then i was able to grab a valid-looking metadata.xml file from the zammad instance at:
Import that into Keycloak as a new client.
Since zammad doesn’t present any certs/keys on the SP side, we need to disable a setting in Keycloak: clients -> Zammad Helpdesk -> Client Signature Required : OFF
Now that SAML is configured and enabled on both sides, i click “OR SIGN IN USING” -> “SAML”
Keycloak login page appears, log in using my test user that exists already in keycloak, and a matching user exists in Zammad.
The login is “successful” from Keycloak’s point of view, but keycloak shows an error: “Failed to process request” instead of redirecting back to Zammad.
When this happens in the Keycloak logs i see:
2019-09-04 17:24:59,126 ERROR [org.keycloak.protocol.saml.SamlProtocol] (default task-61) failed:java.lang.IllegalArgumentException: Illegal character in path at index 6: Zammad Helpdesk at java.net.URI.create(URI.java:852)
so it appears the Client ID, being hard-coded to “Zammad Helpdesk” is causing an illegal character problem due to the space character. I’ve attempted to escape the value: Zammad%20Helpdesk but this results in “client not found” on Keycloak. Keycloak uses the ClientID to find the correct SAML configuration to use. Client ID in keycloak = EntityID in the SAML metadata XML files.
In the working nextcloud example, the clientID is actually a link to the metadata URL, here’s a comparison of the two XML files “EntityDescriptor” lines:
<md:EntityDescriptor ID="_6ce7f6f7-3280-4770-a9a2-a25bd7032c77" entityID="Zammad Helpdesk" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-09-06T16:37:42Z" cacheDuration="PT604800S" entityID="https://nextcloud.mydomain1234.org/index.php/apps/user_saml/saml/metadata" ID="pfx09b5ac53-2700-1a53-8d84-de9cabf67c88"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
All the keycloak examples i find for SAML avoid using spaces for the Client ID field. So perhaps we need to change the ClientID that Zammad is sending to something without spaces, or perhaps it should be changed to the meta data URL, similar to how nextcloud’s Saml app generates its XML metadata config file.
I’m looking into how to re-map the Keycloak ClientID to something else, but that seems to a primary key so to speak.
It looks like Zammad is using OmniAuth library for the SSO? if that’s the case i can find some other apps using omniauth and look into the XML metadata they provide to see what Zammad should send as the EntityID/Client ID that Keycloak will tolerate.
Thanks for getting this feature ready, it seems i’m one step away from having it functional.