Single Sign On

[jaeger13]

Infos:

• Used Zammad version: latest
• Used Zammad installation source: rpm
• Operating system: CentOS 7
• Browser + version: Firefox latest

This is a question regarding Single Sign On. We are using a Microsoft Active Directory in our company and the login works fine with ldap-sync.
Im wondering if SSO would be possible. I already tried to set it up using nginx, but it just won't work :-(

Is there an easy way to do it? Maybe one of you already set up Zammad with SSO? Would be nice if someone has an instruction or some examples how to implement it.

Thank you in advance.

[rkaldung]

Hi @jaeger13,

This is possible of course. But you have to use Apache httpd with mod_auth_kerb, with a config like this:

<LocationMatch "/auth/sso">
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Your Zammad"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms YOUR.REALM
  KrbLocalUserMapping on
  KrbServiceName HTTP/zammad.your.domain@YOUR.REALM
  Krb5KeyTab /etc/httpd/zammad.keytab
  require valid-user
</LocationMatch>

Depending on the choosen uid attribute (ist sAMAccountName in the example above) it will work out of the box.

And you have to configure Apache as the reverse proxy instead of nginx.

As long as the auth module returns the authenticated username in the environment variable REMOTE_USER or HTTP_REMOTE_USER it is possible to use other modules like auth_mellon etc.

hth, Roy

[jaeger13]

Hey @rkaldung ,

thank you for your fast answer. I will try it with Apache and your instructions :-)
Although i wished there would be a way to do it with nginx :-(

Thanks!

[rkaldung]

Hi @jaeger13,

There is a way with nginx, but without testing at the moment. @martini Your two cents on this?

[scimitar4444]

Hi @rkaldung

Can you describe the way with NGINX? That would also interest me very much. Thanks.

[martini]

Hi @scimitar4444

@rkaldung means an implementation on rails level like https://github.com/jgraichen/omniauth-kerberos - but this need to be implemented in Zammad first. 🤖

-Martin

[rkaldung]

@martini It's always only one commit away 😜

[MenneBakker]

I've been trying to get SSO working using your instructions. However browsing http://myserver.mydom.local/auth/sso is taking me back to the login page . . . am I missing something ?

Trying to use (Stanford) Webauth (and ldap user) results in same error, after successful login in SSO I get the zammad prompt to login.
Using: Ubuntu 16.04; Zammad 2.2.0; Apache, MariaDB; (REMOTE_USER is set by webauth)

@rkaldung do you know sth. new?

Found a workaround:

Problem: The needed module in lib/sso/env.rb is called without the needed request.env from PUMA, so 'REMOTE_USER' is not available.

Workaround:
Add 'REMOTE_USER' from the request.env to ENV in 'zammad/app/controllers/sessions_controller.rb' inside function 'create_sso'

   # export required environment variables for sso
   ENV['REMOTE_USER'] = request.env['REMOTE_USER']
   ENV['HTTP_REMOTE_USER'] = request.env['HTTP_REMOTE_USER']

@martini could this be a problem with a newer version of PUMA?

EDIT: You have to add a corresponding rule for setting the header-field in httpd.conf to get it working:

RequestHeader merge REMOTE_USER %{REMOTE_USER}s

[cohausz]

Edit 2018-01-08:
Everything works now with the workaround from pikachuprof. It was a typo in the /etc/krb5.conf Config.

Infos:
Used Zammad version: latest
Used Zammad installation source: rpm
Operating system: CentOS 7
Browser + version: Firefox latest

Apache Server Config:
<VirtualHost *:443>
    ServerName ***
    ServerAdmin ***

    DocumentRoot "/opt/zammad/public"

    <IfModule !mod_auth_kerb.c>
        LoadModule auth_kerb_module /usr/lib64/httpd/modules/mod_auth_kerb.so
    </IfModule>

    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy localhost:3000>
        Require local
    </Proxy>

    ProxyPass /assets !
    ProxyPass /favicon.ico !
    ProxyPass /robots.txt !
    ProxyPass /ws ws://localhost:6042/
    ProxyPass / http://localhost:3000/

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    <Directory "/opt/zammad/public">
        Options FollowSymLinks
        Require all granted
    </Directory>

    <Location "/auth/sso">
        Order allow,deny
        Allow from all

        AuthType Kerberos
        AuthName "Ticketsystem Kerberos Login"
        KrbServiceName HTTP
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        KrbLocalUserMapping off
        KrbSaveCredentials on

        Require valid-user

        # Environment specific: Path to the keytab and the realm
        Krb5Keytab /etc/kerberos.keytab
        KrbAuthRealm ***
    </Location>
        
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/***
    SSLCertificateKeyFile /etc/pki/tls/private/***

    ErrorLog "logs/***-error_log"
    CustomLog "logs/***-access_log" common
</VirtualHost>

When I open https:///auth/sso and "KrbLocalUserMapping on" my browser show the following error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at admin@ to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.

If I set "KrbLocalUserMapping off" my browser is redirected to https://***/#login

I try to set "RequestHeader merge REMOTE_USER %{REMOTE_USER}s" but nothing changes.

Hope someone can help!

We have added another little workaround:

RewriteEngine   On
RewriteCond     %{HTTP_COOKIE} !^.*zammad_session.*$
RewriteRule     ^/$ https://%{SERVER_NAME}/auth/sso [R,L]

These lines in Apache-config redirect '/' to '/auth/sso' only as long as no zammad cookie is set. This allows redirection to SSO login page without creating an endless loop resulting in 'Internal Server Error'.

[EDVLeer]

I can't seem to get it working. . . apache logs show my username for /auth/sso then my request get redirected to / and my username is gone. . . maybe I made a mistake in editing the create_sso function !? Can someone give me a hint ?