SAML via Keycloak

  • Used Zammad version: 6.0.0-1691652171.0ad3e376.bookworm
  • Used Zammad installation type: your PPA-repository
  • Operating system: Debian 12
  • Browser + version: newest Chrome

Dear Zammad Team,

trying to set up SAML authentication through our Keycloak cluster, the following error message came up in the browser:


I then noticed that not a single packet was sent to our Keycloak, so I checked the log and found this message:

I, [2023-08-14T05:52:27.193884#46050-112160] INFO – : Started GET “/auth/failure?message=ActionController%3A%3AInvalidAuthenticityToken&strategy=saml” for at 2023-08-14 05:52:27 +0000
I, [2023-08-14T05:52:27.198539#46050-112160] INFO – : Processing by SessionsController#failure_omniauth as HTML
I, [2023-08-14T05:52:27.198713#46050-112160] INFO – : Parameters: {“message”=>“ActionController::InvalidAuthenticityToken”, “strategy”=>“saml”}
E, [2023-08-14T05:52:27.208887#46050-112160] ERROR – : Message from saml: ActionController::InvalidAuthenticityToken (Exceptions::UnprocessableEntity)
app/controllers/sessions_controller.rb:125:in failure_omniauth' app/controllers/application_controller/has_download.rb:21:in block (4 levels) in module:HasDownload
app/controllers/application_controller/has_download.rb:20:in block (3 levels) in <module:HasDownload>' app/controllers/application_controller/has_download.rb:19:in block (2 levels) in module:HasDownload
app/controllers/application_controller/handles_transitions.rb:16:in `handle_transaction’
I, [2023-08-14T05:52:27.210965#46050-112160] INFO – : Rendered inline template (Duration: 0.5ms | Allocations: 272)
I, [2023-08-14T05:52:27.211285#46050-112160] INFO – : Completed 422 Unprocessable Entity in 12ms (Views: 1.0ms | ActiveRecord: 3.7ms | Allocations: 2901)

Please let us know, what we are doing wrong.


After trying a lot I finally made it to forward the request to keycloak thanks to your hint with this link to a page of your docs:

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.