SSO not working

Technical assistance
1

Infos:

  • Used Zammad version: 6
  • Used Zammad installation type: package
  • Operating system: Debian 12
  • Browser + version: Chrome 115

Expected behavior:

  • One-Click SSO Login

Actual behavior:

  • SSO not working

Hello,

After I tried to setup SSO and worked many hours on it, I need the help of the community.

Some things from the SSO instructions I have done differently:
apt install libapache2-mod-auth-kerb isn’t working on Debian 12, I installed it this way:
wget http://ftp.de.debian.org/debian/pool/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_5.4-3_amd64.deb
dpkg -i libapache2-mod-auth-kerb_5.4-3_amd64.deb

From the description it is not clear where I should put the part <LocationMatch "/auth/sso">, I tried it to put it in zammad.conf and in 000-default.conf, but it’s the same result.

In the Apache log you can see “granted” under “authorization result”, but it’s not working.

Edit: I just stopped Apache and started Nginx to be able to Login to Zammad. In the Dashboard I saw that the Login from me and a colleague worked:
image

I also checked Zammad’s production log and it looks good, but I don’t know if it’s correct that the redirect goes to http and not to https.

INFO -- : Processing by SessionsController#create_sso as HTML
INFO -- : Redirected to http://zammadtest.my-domain.de/#
INFO -- : Completed 302 Found in 23ms (ActiveRecord: 12.7ms | Allocations: 6057)

Apache’s error.log after I called https://zammadtest.my-domain.de/auth/sso:

[proxy:debug] [pid 12202:tid 139720822568704] proxy_util.c(2554): AH00943: ws: has released connection for (127.0.0.1:6042)
[ssl:debug] [pid 12202:tid 139720822568704] ssl_engine_io.c(1147): [client 192.168.101.8:59787] AH02001: Connection closed to child 14 with standard shutdown (server zammad.my-domain.de:443)
[ssl:debug] [pid 12203:tid 139720797390592] ssl_engine_kernel.c(415): [client 192.168.101.8:59786] AH02034: Subsequent (No.3) HTTPS request received for child 81 (server zammad.my-domain.de:443), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720797390592] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720797390592] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720797390592] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[ssl:debug] [pid 12203:tid 139720788997888] ssl_engine_kernel.c(415): [client 192.168.101.8:59786] AH02034: Subsequent (No.4) HTTPS request received for child 82 (server zammad.my-domain.de:443), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1296): [client 192.168.101.8:59786] Acquiring creds for HTTP/zammadtest.my-domain.de@MY-DOMAIN.DE, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1719): [client 192.168.101.8:59786] Verifying client data using KRB5 GSS-API with our SPNEGO lib, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1735): [client 192.168.101.8:59786] Client didn't delegate us their credential, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1754): [client 192.168.101.8:59786] GSS-API token of length 185 bytes will be sent back, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1869): [client 192.168.101.8:59786] kerb_authenticate_a_name_to_local_name MySamAccountName@MY-DOMAIN.DE -> MySamAccountName, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1963): [client 192.168.101.8:59786] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1901): [client 192.168.101.8:59786] matched previous auth request, referer: https://zammadtest.my-domain.de/
[auth_kerb:debug] [pid 12203:tid 139720788997888] src/mod_auth_kerb.c(1869): [client 192.168.101.8:59786] kerb_authenticate_a_name_to_local_name MySamAccountName@MY-DOMAIN.DE -> MySamAccountName, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of Require valid-user : granted, referer: https://zammadtest.my-domain.de/
[authz_core:debug] [pid 12203:tid 139720788997888] mod_authz_core.c(815): [client 192.168.101.8:59786] AH01626: authorization result of <RequireAny>: granted, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] mod_proxy.c(1506): [client 192.168.101.8:59786] AH01143: Running scheme http handler (attempt 0), referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2538): AH00942: http: has acquired connection for (127.0.0.1:3000)
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2596): [client 192.168.101.8:59786] AH00944: connecting http://127.0.0.1:3000/auth/sso to 127.0.0.1:3000, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2819): [client 192.168.101.8:59786] AH00947: connected /auth/sso to 127.0.0.1:3000, referer: https://zammadtest.my-domain.de/
[proxy:debug] [pid 12203:tid 139720788997888] proxy_util.c(2554): AH00943: http: has released connection for (127.0.0.1:3000)
[ssl:debug] [pid 12203:tid 139720780605184] ssl_engine_io.c(1147): [client 192.168.101.8:59786] AH02001: Connection closed to child 83 with standard shutdown (server zammad.my-domain.de:443)

Screenshot of Chrome:
image

Firefox:

image
image386×607 18.3 KB

2

The zammad vhost configuration file is the file of your desire.

FQDN and HTTP-Type are correct in your Zammad configuration? They may not differ.
Also make sure you’re removed the # from the SSO part of the zammad.conf.

It is not enough to add the location match.