- Used Zammad version: 5.4.0-19
- Used Zammad installation type: K8s v1.25 + Official helm chart + Nginx ingress
- Operating system: Fedora
- Browser + version: Firefox 112
Set up SAML authentication on a self-host Zammad
Zammad should somehow made aware that the TLS certificate is managed by another proxy/service, and that clients are connecting using a secure TLS session.
In this scenario, Zammad should expect SAML callback to happen using HTTPS schema.
SAML authentication is not working, because zammad expect the IDP SAML callback to happen using HTTP schema.
Logs from the Rails container :
(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Invalid Audience. The audience https://zammad.somedomain.com/auth/saml/metadata, did not match the expected audience http://zammad.somedomain.com/auth/saml/metadata
Steps to reproduce the behavior:
- Install zammad on K8S cluster using official Helm Chart
- Customize official helm chart to enable Ingress
- Nginx Ingress controller is handling TLS certificate using AWS NLB (Network Load Balancer)
- Communication between AWS NLB and Zammad Nginx pod (Using K8S ClusterIP service type) is in plain HTTP (No certificate)
- Export SAML metadata to the IDP