SSO with valid env but no account creation

Infos:

  • Used Zammad version: 4.1.0-6
  • docker-compose
  • Operating system: Rocky8
  • Browser + version: * any

Expected behavior:

Like described in Single Sign-On for Kerberos — Zammad documentation I set up the running OIDC provider and passed the mail as REMOTE_USER variable
Now I would think that the GET request against /auth/sso would let me login with my username I provided via OIDC.
I would get it when there is no variable set been there) or the variable is just ‘null’(been there too)

Actual behavior:

401: Unauthorized
No such user 'ppp@domain.cc' found! 

I can create a user and then login with sso never using the activation mail. but thats not 1) automatically have an account in Zammad and 2) be able to log in with a single click.

Steps to reproduce the behavior:

  • set up OIDC, login via SSO, Profit?

logs while authenticating


zammad-railsserver_1    | I, [2021-09-28T23:11:50.057689 #1-46947366162800]  INFO -- : Started GET "/auth/sso" for 9.9.9.9 at 2021-09-28 23:11:50 +0000
zammad-railsserver_1    | I, [2021-09-28T23:11:50.061148 #1-46947366162800]  INFO -- : Processing by SessionsController#create_sso as HTML
zammad-railsserver_1    | I, [2021-09-28T23:11:50.062151 #1-46947366162800]  INFO -- : No such user ppp@domain.cc found! (Exceptions::NotAuthorized)
zammad-railsserver_1    | /opt/zammad/app/controllers/sessions_controller.rb:30:in `create_sso'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:194:in `process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/rendering.rb:30:in `process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:42:in `block in process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:109:in `block in run_callbacks'
zammad-railsserver_1    | /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in `block (4 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in `subscribed'
zammad-railsserver_1    | /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in `block (3 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in `subscribed'
zammad-railsserver_1    | /opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in `block (2 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `instance_exec'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `block in run_callbacks'
zammad-railsserver_1    | /opt/zammad/app/controllers/application_controller/handles_transitions.rb:14:in `handle_transaction'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `block in run_callbacks'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:136:in `run_callbacks'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:41:in `process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/rescue.rb:22:in `process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in `block in instrument'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in `instrument'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:32:in `process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/params_wrapper.rb:256:in `process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/activerecord-5.2.4.6/lib/active_record/railties/controller_runtime.rb:24:in `process_action'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:134:in `process'
zammad-railsserver_1    | /usr/local/bundle/gems/actionview-5.2.4.6/lib/action_view/rendering.rb:32:in `process'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:191:in `dispatch'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:252:in `dispatch'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:52:in `dispatch'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:34:in `serve'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:52:in `block in serve'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in `each'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in `serve'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:840:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in `call_app!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in `other_phase'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/head.rb:12:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/cookies.rb:670:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:98:in `run_callbacks'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:38:in `call_app'
zammad-railsserver_1    | /usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in `block in call'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in `block in tagged'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:28:in `tagged'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in `tagged'
zammad-railsserver_1    | /usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/request_id.rb:27:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/executor.rb:14:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/static.rb:127:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/railties-5.2.4.6/lib/rails/engine.rb:524:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/puma-4.3.8/lib/puma/configuration.rb:228:in `call'
zammad-railsserver_1    | /usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:718:in `handle_request'
zammad-railsserver_1    | /usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:472:in `process_client'
zammad-railsserver_1    | /usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:328:in `block in run'
zammad-railsserver_1    | /usr/local/bundle/gems/puma-4.3.8/lib/puma/thread_pool.rb:134:in `block in spawn_thread'
zammad-railsserver_1    | /usr/local/bundle/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
zammad-railsserver_1    | I, [2021-09-28T23:11:50.062627 #1-46947366162800]  INFO -- :   Rendering inline template
zammad-railsserver_1    | I, [2021-09-28T23:11:50.063067 #1-46947366162800]  INFO -- :   Rendered inline template (0.4ms)
zammad-railsserver_1    | I, [2021-09-28T23:11:50.063170 #1-46947366162800]  INFO -- : Completed 401 Unauthorized in 2ms (Views: 0.6ms | ActiveRecord: 0.2ms)

Doesn’t seem legit or make sense, no?

Oh sorry I failed to read good enough here.
Why do you think that Zammad will create a user for you on SSO usage if it’s not there yet?

Because it’s that way with the other authentications?
I’d like to understand where the documentation causes confusion and thus should be improved.

In general I’d suggest a combination of LDAP sync and SSO (no matter if kerberos or not) to have all data available already.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.