Zammad invalid_ticket SAML Keycloak

  • Used Zammad version: 5.1.x
  • Used Zammad installation type: package
  • Operating system: Ubunut 20.04
  • Browser + version: Chrome 99
  • ngine https
    It is the start of a new system.

Expected behavior:

  • Correct operation of the SAML mechanism

Actual behavior:

I am trying to get SAML logging working with Keycloak.
The redirection from zammad to Keycloak is OK.
The login window appears and then a valid ticket is created on the Keycloak side.
From the zammad side I get the message 422 Unprocessable Entity.
In the production.log it looks like this when establishing a session with SAML :

I, [2022-04-07T09:39:10.237809 #915-7440]  INFO -- : Scheduler running...
I, [2022-04-07T09:39:10.252862 #915-7440]  INFO -- : Running job thread for 'Process ticket escalations.' (Ticket.process_escalation) status is: sleep
I, [2022-04-07T09:39:10.253038 #915-7440]  INFO -- : Running job thread for 'Check 'Channel' streams.' (Channel.stream) status is: sleep
I, [2022-04-07T09:39:10.253310 #915-7440]  INFO -- : Running job thread for 'Check channels.' (Channel.fetch) status is: sleep
I, [2022-04-07T09:39:10.253545 #915-7440]  INFO -- : Running job thread for 'Generate 'Session' data.' (Sessions.jobs) status is: sleep
I, [2022-04-07T09:39:10.254968 #915-7440]  INFO -- : Running job thread for 'Execute planned jobs.' (Job.run) status is: sleep
I, [2022-04-07T09:39:10.282184 #915-194940]  INFO -- : execute Stats.generate (try_count 0)...
I, [2022-04-07T09:39:10.349407 #915-182400]  INFO -- :  - no message
I, [2022-04-07T09:39:10.383342 #915-182400]  INFO -- : ended Channel.fetch took: 0.606931176 seconds.
I, [2022-04-07T09:39:11.119370 #915-194940]  INFO -- : ended Stats.generate took: 0.862422148 seconds.
I, [2022-04-07T09:39:12.513166 #915-181480]  INFO -- : 2022-04-07T09:39:12+0200: [Worker(host:rocketchat pid:915)] Job SearchIndexAssociationsJob [da5d78c0-6e4e-4be6-b13a-59b1a7806f0c] from DelayedJob(default) with arguments: ["StatsStore", 1] (id=19298) (queue=default) RUNNING
I, [2022-04-07T09:39:12.896809 #915-181480]  INFO -- : 2022-04-07T09:39:12+0200: [Worker(host:rocketchat pid:915)] Job SearchIndexAssociationsJob [da5d78c0-6e4e-4be6-b13a-59b1a7806f0c] from DelayedJob(default) with arguments: ["StatsStore", 1] (id=19298) (queue=default) COMPLETED after 0.3834
I, [2022-04-07T09:39:17.122456 #910-181760]  INFO -- : Started POST "/auth/saml" for 192.168.XXX.XXX at 2022-04-07 09:39:17 +0200
I, [2022-04-07T09:39:17.146914 #910-181760]  INFO -- : (saml) Request phase initiated.
I, [2022-04-07T09:39:17.942314 #910-180960]  INFO -- : Started POST "/auth/saml/callback" for 192.168.XXX.XXX at 2022-04-07 09:39:17 +0200
I, [2022-04-07T09:39:17.961101 #910-180960]  INFO -- : (saml) Callback phase initiated.
E, [2022-04-07T09:39:18.486720 #910-180960] ERROR -- : (saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Invalid Audience. The audience zammad, did not match the expected audience https://zammad.DOMAIL.COM:4443/auth/saml/metadata
I, [2022-04-07T09:39:18.523561 #910-181180]  INFO -- : Started GET "/auth/failure?message=invalid_ticket&origin=https%3A%2F%2Fzammad.DOMAIL.COM%3A4443%2F&strategy=saml" for 192.168.XXX.XXX at 2022-04-07 09:39:18 +0200
I, [2022-04-07T09:39:18.535943 #910-181180]  INFO -- : Processing by SessionsController#failure_omniauth as HTML
I, [2022-04-07T09:39:18.536062 #910-181180]  INFO -- :   Parameters: {"message"=>"invalid_ticket", "origin"=>"https://zammad.DOMAIL.COM:4443/", "strategy"=>"saml"}
E, [2022-04-07T09:39:18.571243 #910-181180] ERROR -- : Message from saml: invalid_ticket (Exceptions::UnprocessableEntity)
app/controllers/sessions_controller.rb:112:in `failure_omniauth'
app/controllers/application_controller/has_download.rb:21:in `block (4 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:20:in `block (3 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:19:in `block (2 levels) in <module:HasDownload>'
app/controllers/application_controller/handles_transitions.rb:16:in `handle_transaction'
I, [2022-04-07T09:39:18.674139 #910-181180]  INFO -- :   Rendering inline template
I, [2022-04-07T09:39:18.676662 #910-181180]  INFO -- :   Rendered inline template (Duration: 2.3ms | Allocations: 277)
I, [2022-04-07T09:39:18.676998 #910-181180]  INFO -- : Completed 422 Unprocessable Entity in 141ms (Views: 10.5ms | ActiveRecord: 2.7ms | Allocations: 3495)

From the Keycloak side, the data for metadata looks correct.


image

Steps to reproduce the behavior:

Someone can help, or at least suggest how to debug it more ?

Any one can help ???

The root of your issue is burried here:
Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Invalid Audience. The audience zammad, did not match the expected audience https://zammad.DOMAIL.COM:4443/auth/saml/metadata

You’re using an high port which probably isn’t included in your system settings as needed.
https://admin-docs.zammad.org/en/latest/settings/system/base.html

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.