SAML using SimpleSamlPHP 2.x fails to retrieve user's email address

Technical assistance
1

Infos:

  • Used Zammad version: 5.4.1-1684779241.4e46055a.focal
  • Used Zammad installation type: package
  • Operating system: Ubuntu 20.04
  • Browser + version: any

I’m trying to configure Zammad as SP to SimpleSamlPHP, but I’m unable to send back the email address from the IdP. I configured it in the past with SimpleSamlPHP 1.19, and I still have this configuration running, but I’m unable to replicate with 2.x. SSP user backend is an AD database.

I fetched the metadata XML from Zammad and converted to SSP using the metadata converter. I had to change the NameIDFormat, as the one generated from the XML didn’t match the requirement (Zammad expects an email address as unique identifier!), will eventually file a bug if I make it work.

When I login into Zammad via SAML it fails to retrieve the email address (which does exist into the IdP response). At this stage it’s apprently fetching the user name, but the email address is missing.

This is the data SSP returns to Zammad (decoded from base64):

<samlp:Response Destination="https://assistenza.salca.com/auth/saml/callback" ID="_6f19bd80afb574d00f4459bb10ec739c4778c282db" InResponseTo="_4613737f-5054-4147-b0e3-28dbf470453c" IssueInstant="2023-06-01T12:38:58Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer>https://login.salca.com/sso/saml-idp</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_6f19bd80afb574d00f4459bb10ec739c4778c282db">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>data</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>signaturedata</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>certdata</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ID="_b826416f993289643ad05d0db295b26a5dc3c241dd" IssueInstant="2023-06-01T12:38:58Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Issuer>https://login.salca.com/sso/saml-idp</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="https://assistenza.salca.com/auth/saml/metadata">_2b62bc57af0d64a1e841ab5b223c466d1bbbf263c1</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="_4613737f-5054-4147-b0e3-28dbf470453c" NotOnOrAfter="2023-06-01T12:43:58Z" Recipient="https://assistenza.salca.com/auth/saml/callback"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2023-06-01T12:38:28Z" NotOnOrAfter="2023-06-01T12:43:58Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://assistenza.salca.com/auth/saml/metadata</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2023-06-01T12:38:58Z" SessionIndex="_1fd2a2399716e6d6a9a7ceaf8480ca045f34d01a50" SessionNotOnOrAfter="2023-06-01T20:38:58Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="urn:oid:2.5.4.41" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">Lorenzo Milesi</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">Milesi</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">Lorenzo</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">lorenzo.milesi</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">lorenzo.milesi@salca.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

I see the email address is present in the returned data, but being unfamiliar with SAML in general, I’m not sure if the field name is appropriate.

Expected behavior:

  • Login via SAML retrieves email address

Actual behavior:

  • Login via SAML is successful, but the created user doesn’t contain email address

Steps to reproduce the behavior:

  • Configure SAML login