SAML SSO Issues: Single-Logout/custom metadata creation

Hello guys,
I’m new to the Zammad community and recently I have installed and configured Zammad in a docker container, at first I have synced my users from LDAP. And Roles are also mapped from LDAP.
I tried configuring SAML SSO authentication with Keycloak as IdP.
After authentication it redirects me to the Zammad portal without the roles.
Following are the details:

  • Used Zammad version: 3.7
  • Used Zammad installation source: Docker
  • Operating system: Debian GNU/Linux 10
  • Browser + version: Firefox and chrome (latest)

I’m stuck at following points. Need tech assistance

  1. How to configure/sync the roles either from IdP or from LDAP after authentication ?
  2. Is there anyway I can customized the SAML metadata for Zammad ?
  3. How to configure the Single-Logout feature ?

Best Regards,

I’m afraid that’s correct.
Zammad expects these attributes:

Name EmailAddress-Email
Mapper Type User Property
Property emailAddress
SAML Attribute Name email
SAML Attribute NameFormat basic

This excludes roles. Roles are in general ignored by Zammad in this regard.

The only way to achieve what you want would be to synchronize your ldap source (which should contain the same user base) and allow them to login via SAML. This should provide the required role permissions.

Alternatively you could also apply agent or admin roles once to the user as Zammad will not overwrite them if not ldap sync is in place.

Note that this doesn’t matter to customer users, as Zammad will apply the default signup role for that.

No, sorry.

Zammad does not provide such a functionality, I’m sorry.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.