SAML Single Logout Service Redirect

• Used Zammad version: 6.4.1-1741348581.b9a98307.bookworm
• Used Zammad installation type: package
• Operating system: Debian 12
• Browser + version: Firefox 128.7.0esr

Expected behavior:

• Redirect to Zammad login page.

Actual behavior:

• Redirects to Zammad SAML metadata page.

Steps to reproduce the behavior:

• Configure Keycloak in production mode with SAML client, import the Zammad metadata xml file, add user property ‘email’ mapping, and add certificate.

• Master SAML Processing URL: https://zammad.domain.tld/auth/saml/metadata

• Enable sign assertions

• Configure Zammad with SAML SSO, HTTPS setup in nginx.

• IDP SSO target URL: https://keycloak.domain.tld/realms/name/protocol/saml

• IDP Single Logout target URL: https://keycloak.domain.tld/realms/name/protocol/saml

• IDP Cert: cert-blob without begin/end

• Name Identifier Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

• SSL Verify: no

• Sign in with SSO > Keycloak user > mapped to Zammad user

• Sign out

• Redirects to https://zammad.domain.tld/auth/saml/metadata

I have the same issue.

Is the logout URL on the Keycloak side configured correctly?

By clicking Sign-Out you mean inside Zammad?

Same issue. Logged out from SAML Identify provider, but session is not terminated in Zammad. (using Microsoft Entra ID as IDP)

Is there any update in this?

Currently, we have no other reported problems when it’s configured in the correct way.

So we would need more details, for example, some logs when Zammad is called in this situation.