Set up SAML on a self-host Zammad while TLS certificate is managed by K8S ingress

obo · April 27, 2023, 7:53am

Infos:

Used Zammad version: 5.4.0-19
Used Zammad installation type: K8s v1.25 + Official helm chart + Nginx ingress
Operating system: Fedora
Browser + version: Firefox 112

Goal

Set up SAML authentication on a self-host Zammad

Expected behavior:

Zammad should somehow made aware that the TLS certificate is managed by another proxy/service, and that clients are connecting using a secure TLS session.

In this scenario, Zammad should expect SAML callback to happen using HTTPS schema.

Actual behavior:

SAML authentication is not working, because zammad expect the IDP SAML callback to happen using HTTP schema.

Logs from the Rails container :

(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Invalid Audience. The audience https://zammad.somedomain.com/auth/saml/metadata, did not match the expected audience http://zammad.somedomain.com/auth/saml/metadata

Steps to reproduce the behavior:

Install zammad on K8S cluster using official Helm Chart
Customize official helm chart to enable Ingress
Nginx Ingress controller is handling TLS certificate using AWS NLB (Network Load Balancer)
Communication between AWS NLB and Zammad Nginx pod (Using K8S ClusterIP service type) is in plain HTTP (No certificate)
Export SAML metadata to the IDP

MrGeneration · May 9, 2023, 1:56pm

That’s a configuration issue from your end because you most likely configured Zammad via HTTPs (getting started wizard) first.
See:
https://admin-docs.zammad.org/en/latest/settings/system/base.html