Singe Sign On for Zammad

Infos:

  • Used Zammad version: 2.2.x
  • Used Zammad installation source: DEB
  • Operating system: Ubuntu 16.04
  • Browser + version: Chrome and Firefox latest, IE 11

Expected behavior:

I want to use SSO for our Zammad installation.

Actual behavior:

I’ve found the ticket Single Sign On for Zammad on Github and try to do the same as described on commented from pikachuprof and cohausz without success. I don’t know whats going wrong so i hope of some input :grinning:

Steps to reproduce the behavior:

I configured mod_auth_kerb with the following configuration:

<VirtualHost *:80>
ServerName zammad.domain.tld
Redirect permanent / https://zammad.domain.tld/
</VirtualHost>

<VirtualHost *:443>
include /etc/apache2/options-ssl-zammad.tld.conf

# replace 'localhost' with your fqdn if you want to use zammad from remote
ServerName zammad.domain.tld

<IfModule !mod_auth_kerb.c>
  LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
</IfModule>

## don't loose time with IP address lookups
HostnameLookups Off

## needed for named virtual hosts
UseCanonicalName Off

## configures the footer on server-generated documents
ServerSignature Off

ProxyRequests Off
ProxyPreserveHost On

<Proxy localhost:3000>
  Require local
</Proxy>

ProxyPass /assets !
ProxyPass /favicon.ico !
ProxyPass /robots.txt !
ProxyPass /ws ws://localhost:6042/
ProxyPass / http://localhost:3000/

DocumentRoot "/opt/zammad/public"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/opt/zammad/public">
    Options FollowSymLinks
    Require all granted
</Directory>

  LimitRequestFieldSize 32768
  RequestHeader merge REMOTE_USER %{REMOTE_USER}s

<Location "/auth/sso">
  SSLRequireSSL
  AuthType Kerberos
  AuthName "zammad.domain.tld"
  KrbServiceName HTTP/zammad.domain.tld@DOMAIN.TLD
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbSaveCredentials On
	  
	  require valid-user

  Krb5Keytab /etc/kerberos-http.keytab
  KrbAuthRealm DOMAIN.TLD
</Location>

#LogLevel trace8
ErrorLog /var/log/apache2/zammad.domain.tld-error.log
CustomLog /var/log/apache2//zammad.domain.tld-access.log combined
</VirtualHost>

Now, if i want to login to zammad (https://zammat.domain.tld/auth/sso) I get the following error:

Unauthorized
This Server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required

I think i have configured the browser the right way, because SSO works without Zammad (see the following lines).

The “strange” thing is. I created a folder called sso in /opt/zammad/public/sso. In the vHost configuration i duplicate the SSO part:

<Directiory "/opt/zammad/public/sso">
      SSLRequireSSL
      AuthType Kerberos
      AuthName "zammad.domain.tld"
      KrbServiceName HTTP/zammad.domain.tld@DOMAIN.TLD
      KrbMethodNegotiate On
      KrbMethodK5Passwd Off
      KrbSaveCredentials On
    	  
    	  require valid-user

      Krb5Keytab /etc/kerberos-http.keytab
      KrbAuthRealm DOMAIN.TLD
  </Directory>

If I browse to this directory (https://zammad.domain.tld/sso) the SSO works.

Can anyone help me?
Thanks

1 Like

I also need this! I have a PHP Portal page and Zammad. Both are on a different instance and bother are connected to LDAP.
Now. I need users to log in to Zammad automatically if they are already logged into portal.

Any advise or guidance would be greatly appreciated!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.