Zammad ADFS SAML 422: The change you wanted was rejected

plupu · January 15, 2024, 7:25am

Zammad version: 6.0.0

Hello, we attempted to get Zammad working with SAML with our ADFS servers; here’s a list of things we attempted to do in order to make it work:

inputted the certificate both with and without -----BEGIN CERTIFICATE-----
tried using both the certificate and the certificate fingerprint
made sure the servers are all running UTC time
restarted the server after enabling the feature
confirmed it seems to resolve OK on the ADFS side

Error in the UI:

# 422: The change you wanted was rejected.

Message from saml: invalid_ticket

Here’s the error we get on the pod itself:

[15/Jan/2024:07:22:29 +0000] "POST /auth/saml/callback HTTP/1.1" 302 9 "https://sso.XXXXXX.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
[15/Jan/2024:07:22:29 +0000] "GET /auth/failure?message=invalid_ticket&strategy=saml HTTP/1.1" 422 444 "https://sso.XXXXXXX.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"

fliebe92 · January 15, 2024, 9:32am

Hi @plupu. What’s written down in the Zammad log?

plupu · January 15, 2024, 11:07am

@fliebe92 this is what I get:

[15/Jan/2024:11:05:05 +0000] "POST /auth/saml/callback HTTP/1.1" 302 9 "https://sso.XXXX.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
[15/Jan/2024:11:05:05 +0000] "GET /auth/failure?message=invalid_ticket&strategy=saml HTTP/1.1" 422 444 "https://sso.XXXX.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
[15/Jan/2024:11:05:05 +0000] "GET /assets/error/style.css HTTP/1.1" 200 1498 "https://XXXX.XXXX.io/auth/failure?message=invalid_ticket&strategy=saml" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
[15/Jan/2024:11:05:05 +0000] "GET /assets/error/error-1.svg HTTP/1.1" 200 2629 "https://XXXX.XXXX.io/auth/failure?message=invalid_ticket&strategy=saml" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
[15/Jan/2024:11:05:05 +0000] "GET /assets/error/firasans-regular-webfont.woff HTTP/1.1" 200 28852 "https://XXXX.XXXX.io/assets/error/style.css" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"

fliebe92 · January 15, 2024, 11:11am

Is this an excerpt of your Zammad production.log?

plupu · January 15, 2024, 11:19am

It;s from the kubernetes pod log for zammad, I’m guessing that should have all the output? If you can direct me I can try to ssh into a specific container to check the logfile directly

plupu · January 15, 2024, 11:25am

I dug around a little through the containers but couldn’t find anything substantial:

$ pwd
/opt/zammad
$ cd log
$ pwd
/opt/zammad/log
$ cat production.log
I, [2023-07-18T14:57:38.823588#4418-6180]  INFO -- : Using Zammad's file store as Rails cache store.
I, [2023-07-18T14:57:38.823888#4418-6180]  INFO -- : Using the File back end for Zammad's web socket session store.
$ ls -l
total 4
-rw-r--r-- 1 zammad zammad 217 Jul 18 14:57 production.log

fliebe92 · January 15, 2024, 11:40am

You can try to tail the log and see if it gets filled just by clicking around in Zammad. When the SAML login is performed and it fails, there should be a reason next to invalid_ticket (at least I remember to see it in former times).

plupu · January 15, 2024, 11:49am

This is all I get while doing a tail for the whole attempt:

 - - [15/Jan/2024:11:47:52 +0000] "GET /ws HTTP/1.1" 101 189 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
 - - [15/Jan/2024:11:47:52 +0000] "POST /auth/saml HTTP/1.1" 302 450 "https://support-dev.XXXXXXXXXXXXXX.io/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
 - - [15/Jan/2024:11:47:57 +0000] "GET / HTTP/1.1" 200 2878 "-" "kube-probe/1.26+"
 - - [15/Jan/2024:11:47:57 +0000] "POST /auth/saml/callback HTTP/1.1" 302 9 "https://sso.XXXXXXXglobal.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
 - - [15/Jan/2024:11:47:57 +0000] "GET /auth/failure?message=invalid_ticket&strategy=saml HTTP/1.1" 422 444 "https://sso.XXXXXXXglobal.com/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
 - - [15/Jan/2024:11:47:58 +0000] "GET /assets/error/style.css HTTP/1.1" 200 1498 "https://support-dev.XXXXXXXXXXXXXX.io/auth/failure?message=invalid_ticket&strategy=saml" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
 - - [15/Jan/2024:11:47:58 +0000] "GET /assets/error/firasans-regular-webfont.woff HTTP/1.1" 200 28852 "https://support-dev.XXXXXXXXXXXXXX.io/assets/error/style.css" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
 - - [15/Jan/2024:11:47:58 +0000] "GET /assets/error/error-1.svg HTTP/1.1" 200 2629 "https://support-dev.XXXXXXXXXXXXXX.io/auth/failure?message=invalid_ticket&strategy=saml" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
 - - [15/Jan/2024:11:48:07 +0000] "GET / HTTP/1.1" 200 2878 "-" "kube-probe/1.26+"
 - - [15/Jan/2024:11:48:17 +0000] "GET / HTTP/1.1" 200 2878 "-" "kube-probe/1.26+"
 - - [15/Jan/2024:11:48:27 +0000] "GET / HTTP/1.1" 200 2878 "-" "kube-probe/1.26+"

fliebe92 · January 15, 2024, 12:01pm

Hm. I have no idea, sorry.

MrGeneration · March 27, 2024, 3:42pm

Docker based installation log to STDOUT. You’re looking for the stdout log output of the railsserver.