Infos:
- Used Zammad version: 5.4.0-19
- Used Zammad installation type: K8s v1.25 + Official helm chart + Nginx ingress
- Operating system: Fedora
- Browser + version: Firefox 112
Goal
Set up SAML authentication on a self-host Zammad
Expected behavior:
Zammad should somehow made aware that the TLS certificate is managed by another proxy/service, and that clients are connecting using a secure TLS session.
In this scenario, Zammad should expect SAML callback to happen using HTTPS schema.
Actual behavior:
SAML authentication is not working, because zammad expect the IDP SAML callback to happen using HTTP schema.
Logs from the Rails container :
(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Invalid Audience. The audience https://zammad.somedomain.com/auth/saml/metadata, did not match the expected audience http://zammad.somedomain.com/auth/saml/metadata
Steps to reproduce the behavior:
- Install zammad on K8S cluster using official Helm Chart
- Customize official helm chart to enable Ingress
- Nginx Ingress controller is handling TLS certificate using AWS NLB (Network Load Balancer)
- Communication between AWS NLB and Zammad Nginx pod (Using K8S ClusterIP service type) is in plain HTTP (No certificate)
- Export SAML metadata to the IDP