Set up SAML on a self-host Zammad while TLS certificate is managed by K8S ingress


  • Used Zammad version: 5.4.0-19
  • Used Zammad installation type: K8s v1.25 + Official helm chart + Nginx ingress
  • Operating system: Fedora
  • Browser + version: Firefox 112


Set up SAML authentication on a self-host Zammad

Expected behavior:

Zammad should somehow made aware that the TLS certificate is managed by another proxy/service, and that clients are connecting using a secure TLS session.

In this scenario, Zammad should expect SAML callback to happen using HTTPS schema.

Actual behavior:

SAML authentication is not working, because zammad expect the IDP SAML callback to happen using HTTP schema.

Logs from the Rails container :

(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Invalid Audience. The audience, did not match the expected audience

Steps to reproduce the behavior:

  1. Install zammad on K8S cluster using official Helm Chart
  2. Customize official helm chart to enable Ingress
  3. Nginx Ingress controller is handling TLS certificate using AWS NLB (Network Load Balancer)
  4. Communication between AWS NLB and Zammad Nginx pod (Using K8S ClusterIP service type) is in plain HTTP (No certificate)
  5. Export SAML metadata to the IDP

That’s a configuration issue from your end because you most likely configured Zammad via HTTPs (getting started wizard) first.